ORPG Development and Theory

Navigation

7. Additional Information
i. Glossary

Server Double-checking

This is where all your hacking prevention comes in. In that example in the last section, where the character moves, if a blocked tile is not hit, it is up to the server to check again if a blocked tile was hit - don't assume theres a clear path because the client said so. If a user wants to attack monster X with a bow, make sure the range between the two is valid, even if it requires you checking every tile between them to make sure the arrow wont hit any unpassable objects. This applies for every packet that comes from the client! Never assume anything the client tells you is going to be correct in any way at all. There really isn't any easy way to do this besides perform all the needed calculations. Shortcuts, whether it is to reduce development time or processing time, only lead to possible exploits that can just be abused later.

It is also required that you check the data from the client to be valid. This isn't used as much for hacking prevention as it is for crashing prevention. If you have 8 directional movement in your game, and the client sends to move in direction 234, the results can be very nasty.

With all this server checking, it isn't unexpected that packets will take a lot longer then you would expect to process. This, too, can be taken advantage of in the form of a DOS attack. If a client finds the most processing-intensive routine (such as doing a ranged attack to a far away NPC), it can flood the server with packets for that routine. There are many ways you can fix this. One way is create a timer for certain routines and check the time that has elapsed since the last request to that routine. This is going to take a lot of extra RAM for all those timers, though, but can be worth it, and should already be in place for many routines (movement, attacking, talking, etc). Another is to completely limit the amount of unique packets (packet headers, not size of packets) the client is allowed to send to the server every second. Usually, the client doesn't have to send many packets to the server, so abuse of this can often be easily captured.