Where to draw the line with security?

While we all wish that the server could run every line of code to prevent client hacking, this sadly cannot be the case.



I have been thinking about how to approach client/server interaction protection to prevent cheating in my game.



There are however a few questions I would like to ask regarding this topic:

1. What is the general rule of thumb for what/how the server should check? (namely what variety of things should the server check, and should the server check by actually running such processes or by checking the values the client is generating?
   
   
   
2. How can a player hack my client? I am confused about this. Can a user specifically go into the client code and tell the client to drop rare items from every object? Can the user directly alter my code or just inject false code snippets?
   
   
   
3. What is the best way to maximize security while minimizing/eliminating cheating/hacking
   
   
   
   Thank you!

1. for a very good security server do all the physics and check every input packet
   
   
   
2. he can decompile your client and modify it… or can create false packet, also alter and destroy packet with a good program. If you are using UDP he can also sniff/write packet of other player (well it have more possibilities than TCP)
   
   
   
3. see point 1. if you use a good physic engine like JBox2d or JBullet (3d) your server can have more than 1000 obj in an 800mhz pc… the only hack i can see using TCP is break the server code with ad-hoc packet and Dos attack

1. for a very good security server do all the physics and check every input packet

From what I heard running physics on the server is very bad idea unless you have a small amount of players or a lot of money.

As far as security goes, it depends on what you can afford, if you have a lot of processing power you can afford to do more checks, otherwise you could trust the players not to cheat and only counter the biggest cheating attempts.

2. How can a player hack my client? I am confused about this. Can a user specifically go into the client code and tell the client to drop rare items from every object? Can the user directly alter my code or just inject false code snippets?

Assuming the strongest hacker in the world is assigned to hacking your game, pretend like he has the source code for your game and can edit it as he wishes.

There are game extensions though, like PunkBuster which try to circumvent hackers from modifying your game client's memory. I don't know how well they work though, but it seems many games use them.


For most indie and free games I wouldn't recommend worrying about security, it's a waste of effort until the game becomes popular where the danger of hacking becomes real.

Depends, if you want to create a mmorpg use clientside players, and nearly no physic and a dumb server, that mostly relays data them only, however still DO health and attack ect stuff on the server, cause it's just to easy to cheat else (WOW uses this system).



If you wan tot create  a FPS game make everything serverside (CSS works that way, ut, quake, battlefield)



If it is mixed, then you have the problem to choose wich is the better one.

I was once programming with L2J (Lineage2 Java open-source server), and I have seen how these things are done there. Lineage2 as someone might know is MMORPG, so there is no physics on server, there is only geodata and pathfinding on server (so that each player is checked on move). Also each incoming packet is checked if its data corresponds with data on server and if it can be used in particular moment.

Hopefully it helps a little.

kinda as i said ^^, then,



l2 nearly destroyed one school year for me ^^