Game Development Reference
In-Depth Information
Suppose in the dodge ball game, the host sends out a message to every opponent
that they were hit by a dodge ball and therefore eliminated from the round. Well,
because the server is the authority, that could mean the game ends with the host
as the winner. If third-party controlled dedicated servers can't be used, there are a
couple potential solutions. One would be to use one of the aforementioned cheat-
detection programs; the other would be to add some client verification of the serv-
ercommands.Iftheclientseesthatseveralplayersareeliminatedatthesametime,
which is impossible, it can potentially trigger some code that says the server is
cheating.
Man-in-the-Middle Attack
One of the most nefarious ways to cheat is to place a machine in between two ma-
chines that are communicating in order to intercept all the packets. This is known
as a
man-in-the-middle attack
, and it's especially an issue when plain text in-
formation is sent over the network. This style of attack is the primary reason why
whenever you connect to a financial institution online, you use HTTPS instead of
HTTP.
With HTTP, all data is sent over the network in plain text. This means that if you
submit your username and password to a website that uses HTTP, it is trivial for
the man-in-the-middle to steal that information. But with HTTPS, all the data is
encrypted, which makes it
nearly
impossible for the man-in-the-middle to access
the information. There are certain vulnerabilities that have been exposed in the
HTTPS protocol, but practically speaking it should not be a big concern for most
users.
In the case of a game, however, the biggest advantage of the man-in-the-middle
attack is that it allows the cheating to happen on a machine that isn't playing the
game. This means that nearly all cheat-detection programs will be rendered impot-
ent—they simply have no way of knowing that the packets are being intercepted
and modified. A further concern is that having access to the packet information
in general might allow a hacker to discover additional vulnerabilities in the game
that can then be exploited.
One solution to this type of attack is to encrypt literally every packet so that only
the server can decrypt and understand the packet. But this is probably overkill for
most game information, and it does have the added overhead of needing to encrypt
everything. But at the very least, whenever a game requires players to log in (such
as in an MMO), some sort of encryption must be utilized to ensure that players
don't have their accounts stolen.
