Piracy/Cracking Costing Data/Traffic/CCU

AnthonyM86
2022-07-04 18:36:30

Hello

I was wondering about methods to prevent pirates from connecting to Photon PUN. Unfortunately, a Russian crack site cracked an old version of game which bypasses the Pun steam authentications we had in place. I was wondering about solutions against this as recently our CCU and traffic has skyrocketed due to the pirates.

The old version they have cracked already had steam authentication and obviously I cannot make changes to the cracked version on the piracy site to prevent them connecting, so I was wondering are there any settings I can change in the photon pun dashboard that could help me, i.e changing the app id so they can no longer connect or rejecting them if the app version is old or something?

If there isn't anything, I think it would be a cool feature (if it doesn't exist already) to be able to set the current "app version" number on the pun dashboard here and if it does not match the "app version" number in the PUN server settings in the game build, reject the connection. This would prevent cases like this were pirates who have cracked an old version can forever connect and it is hard to deal with it as you cannot modify there version.

Comments

Meep
2022-07-04 21:42:35

Contact support for immediate help [email protected]. Nothing you do from your end will guarantee that the pirates can't still connect to your application simply because of how Photon tokens work and how they are regenerated.

To prevent this in the future:

First of all, make sure "Reject all clients if not available" is enabled on your Steam provider. Next make sure "Allow anonymous clients to connect" is disabled. Next make sure you are absolutely only using Steam authentication. Finally, make sure your other Photon ecosystem products have authentication too; Video, chat, etc.

Next you have to secure it properly. Steam authentication isn't enough and most developers usually use Playfab in conjunction with Steam authentication. Playfab does a better job of this and can help you with banning and logging players. That is actually another thing which you should be aware of. Webhooks can give you a lot of insight into who is joining which rooms and who is sending what events. You could pinpoint exactly which Steam ID might be doing these things and ban them. Playfab also has systems for this which 'piggyback' off the Photon webhook system. If you want to go with your own custom provider then that's good too, but Playfab already has it built.

Photon plugins make things a lot better and are by far the best way to stop pirates but they either require a big wallet or knowledge on how to self-host a Photon server.

Best of luck x

AnthonyM86
2022-07-07 13:19:01

Meep 2022-07-04T21:42:35+00:00

Contact support for immediate help [email protected]. Nothing you do from your end will guarantee that the pirates can't still connect to your application simply because of how Photon tokens work and how they are regenerated.

To prevent this in the future:

First of all, make sure "Reject all clients if not available" is enabled on your Steam provider. Next make sure "Allow anonymous clients to connect" is disabled. Next make sure you are absolutely only using Steam authentication. Finally, make sure your other Photon ecosystem products have authentication too; Video, chat, etc.

Next you have to secure it properly. Steam authentication isn't enough and most developers usually use Playfab in conjunction with Steam authentication. Playfab does a better job of this and can help you with banning and logging players. That is actually another thing which you should be aware of. Webhooks can give you a lot of insight into who is joining which rooms and who is sending what events. You could pinpoint exactly which Steam ID might be doing these things and ban them. Playfab also has systems for this which 'piggyback' off the Photon webhook system. If you want to go with your own custom provider then that's good too, but Playfab already has it built.

Photon plugins make things a lot better and are by far the best way to stop pirates but they either require a big wallet or knowledge on how to self-host a Photon server.

Best of luck x

Hello,

Thank you for taking the time to help me and leave a response!

I am going to email photon support now as as you said there is nothing I can do to stop those pirates using the old version and still connecting. I will take extra steps to secure further however unfortunately I'm sure as you know nowadays pirates are much more sophisticated and with big AAA getting cracked themselves we smaller indies don't stand much chance.

After someone told me about the uploaded crack of our game, I found out it looks like they're using some .dlls and other files to mimic the steam overlay and make the game run as if it is being run through Steam and thus bypass the steam authentication.

I think I'll just have to "roll with the punches" and take it as it is because there's little I can do unfortunately. I guess in a warped, twisted "glass half full" way I just have to look at it as a compliment that some hacker thought the game was worth even bothering to crack, ha ha.

Anyway, thanks for the help, I'll contact Photon and see if they can do anything to assist me further!

Cheers!

Kaiserludi
2022-07-07 17:44:41

Hi @AnthonyM86.

"which bypasses the Pun steam authentications we had in place"

The simplest approach to prevent this is to uncheck the checkbox in your apps dashboard that says "Allow anonymous clients to connect, independently of configured providers" - anonymous here basically means "un-authenticated". Be aware that that will result in any clients that don't have use any of the auth providers, that you have set up for your appid, getting rejected, so not just clients that are actively bypassing your steam auth provider, but also non-cracked older client versions from a time before you have implemented steam auth in your app, if there are such, as well as clients for platforms, for which steam auth is not available and for which you have not set-up an alternative authentication method yet.