Photon Bolt Cloud/Matchmaking Exploits

I am considering using photon bolt for a project, but have some questions about preventing exploits and hacks on the matchmaking system (which is forced to depend on photon cloud). I have used PUN cloud before and was very disappointed at the lack of exploit protection.. for example, it was trivial to do things such as
1) create thousands of rooms to overload the region and prevent other rooms from being created (not a DDOS, it is done on just one machine/IP.. lol)
2) crash a room by sending malformed data to the server
3) change any room property you like, including injecting profanity, changing max number of players, etc

Now these are not problems with the photon networking library (client) itself, as it can be fixed by switching to photon server and customizing server logic there. So as long as we do not use photon cloud, PUN is a usable solution still.

However, photon bolt MUST use the cloud for matchmaking, unless you pay for some vague pro license that i'm assuming is only available to larger studios. Now I am asking, what is stopping some hacker from doing any of the following:
1) create tons of rooms
2) create room with profanity that is now visible to everyone
3) find the IP of every room owner and DDOS them sequentially (unless photon bolt allows you to specify a versionnumber or something to have 'private' roomlist hidden from public). This is a big problem because, it is easy to DDOS a player host compared to a large dedicated server.
4) banned player can still create room (is there any authentication possible before allowing literally anyone to register a room to photon cloud?)
5) change room properties

Again, these are issues that are generally solveable when you self-host instead of use cloud. Now I am fine with the CCU pricing and I think it is quite fair, afterall you are a company and need to make money somehow. But it seems photon's business model is to have new developers use a service that is rife with exploit and cheaters, then when the game becomes big they can switch to the 'real' solution (photon server, bolt pro) at a premium.

So is there no way to prevent hackers from the beginning, instead of waiting until I can pay enough to be consider a 'worthy' customer?

Comments

  • ramonmelo
    ramonmelo mod
    edited June 2019
    Hello @tester24,

    We are glad that you are considering Photon Bolt to your project, we are here to help you to accomplish this.

    Currently, we offer two versions of Bolt (Free and Pro) that you can read more about here.

    Considering your concern about finding the public IP of the Serves, Photon Bolt has a built-in Accept Mode that grants to you the ability to control the flow of connections, by just changing the accept mode from Auto to Manual in the Bolt Settings window. This way, for every attempt of connection from clients to the server, you will be able to review the information sent by the connecting peer and accept or refuse it. You can read more this here: https://doc.photonengine.com/en-us/bolt/current/community-wiki/bolt-essentials/accepting-and-refusing-connections .

    Also, by using the Photon Cloud, we have mechanisms to disconnect automatically peers that are sending bursts of updates/events, in order to prevent any issues on the Game Host. And to accomplish some of your assumptions, you would need a custom client to do so, which should not be easy to build from any customer that has access only to your game.

    Looking to improve our services, we appreciate if you could send us a reproduction project with the clients sending malformed data to the server, so we can verify if our serialization process has any issues.

    If you have any other concern or doubt, please, send us an email to developer@photonengine.com.
  • So IP is hidden until host accepts connection? That’s good.
    What about room creation? Can there be a way to prevent someone from creating tons of rooms or for a banned user to still create room.
    It is quite trivial to decompile unity games and create a custom client to do any number of exploits, so just client side checks are unacceptable. When I get my hands on the more serious exploits that are capable of crashing photon cloud servers I will be happy to submit them, but so far I have only seen it happen and don’t know the exact mechanics.
    Still, I am hesitant to depend on cloud for anything even matchmaking if there is no way to authenticate a user before giving them permission to do room operations.
  • JohnTube
    JohnTube ✭✭✭✭✭
    edited June 2019
    Hi @tester24,

    Thank you for choosing Photon!

    there is no way to authenticate a user
    Photon has multiple authentication options and you can add your own custom one.
    This is not exposed in Photon Bolt yet but will be added soon.

    What about room creation? Can there be a way to prevent someone from creating tons of rooms or for a banned user to still create room.
    You can block banned users using custom authentication or you can have a custom server-side plugin to have total control over in room operations.
  • JohnTube said:

    Hi @tester24,

    What about room creation? Can there be a way to prevent someone from creating tons of rooms or for a banned user to still create room.
    You can block banned users using custom authentication or you can have a custom server-side plugin to have total control over in room operations.
    This is not possible in Bolt cause custom authentication is not yet available in Bolt and custom server-side plugins are available only for photon server.
  • Hello @newlife ,

    We are already extending the Photon Bolt API to include all custom authentication methods available on Photon Realtime. This will be available on a future version, probably on version 1.2.11.

    We will keep our community updated with any news about this.
  • any ETA for this?
  • ramonmelo
    ramonmelo mod
    edited September 2019
    We don't provide any specific ETA, but it should be available in a few weeks.