How do I prevent the clients from calling harmful methods?

Anti-Cheat is hard. Many times I have sighed and thought "If only hackers didn't exist, my life would be much easier." However, hackers exist so I must do my best to stop them. The problem I can see coming, though, is: What if the hackers use PhotonNetwork.Instantiate or something like that to completely mess up my server? How can I stop them from doing this? Or what if I want only certain trusted game instances to be able to create rooms? What stopping the hackers from modifying the code so that they automatically call PhotonNetwork.CreateRoom?

Could you please explain how I can solve these problems? Thanks!


  • "Anti-Cheat is hard."

    There is no way to limit Instantiate to some clients. There is no rule to limit creating rooms and I would have a hard time thinking about how to implement one, too.

    In my opinion, you can only get rid of cheating / harmful clients by banning them or their users. So you would need a account service in the first place. Then all clients need to check for cheats and report the cheating users. Once a threshold in reports is surpassed you can keep the cheater out of your game.

    We will think about anti cheat measures these days. We will see if we have more ideas.
  • I was thinking about having to versions of the game, but with one slight difference. One has a password built in (for trusted users), and one doesn't. Then when they try to create a room it checks the password. The problem is, I would have to edit the photon server code, bot the unity code, to achieve this, and I'm not sure how to do this. Plus, I would like to take advantage of my free development server which doesn't support modifications as far as I know. I suppose I could not use a password for now and host a modified server later on release, but it is more convenient for me to buy hosting from you rather than hosting a modified server myself. So, do you host modified servers? If so, how can I modify it? If not, perhaps you can allow the user to dissallow clients from doing certain actions unless they provide a password.

    On the note of simple banning hackers, is this effective enough? If I can just ban all of them, why should I bother with an authoritative server? I was originally planning on having one, but perhaps it's unnecessary. Do this think it would be disastrous to forego one and just rely on cheat detection and banning? If so, how can I detect these cheats? Can I just modify client code, or do I again need to modify the server?

    I know that's a lot of questions. I'm a noob at making multiplayer games and I have little idea of how to handle cheaters. I really appreciate your help. Thanks!
  • We don't know yet if it's effective enough to ban hackers. In some cases, they simply come back and have to be kicked and banned again.
    Once the race between hacker and developer began, you might need to update the clients from time to time to detect new cheats and kick/ban the players who do this.
    In that case, a server-component would be easier to update as you don't need to submit it to the stores. There would be less delay.

    How you detect cheats and hacks depends on what rules your game has and which actions might break it. In our use case, all clients will constantly check for irregular behaviour of other clients and they will be able to report issues with other players. It would all be client side.

    At the moment, we don't offer hosting your own, custom code on the public Cloud. We offer that service for "Private Cloud" customers but that option is only feasible for > 2k CCU or so.