http://blog.ubi.com/the-division-behind ... -gameplay/
Some of the more interesting things in this article is their admission to how some of their server side things work as well as what they have anti-cheat detection for. (Mind you, that is only server-side anti-cheat detection. There is no protection on the client currently.)
In the blog post, the employee being questioned admits to various data that is not handled by the server, which from their wording includes:
- Position data (player movement).
- RPM data (rounds per minute of the players weapon(s)).
- Ammo data.
- Aiming data.
- Gun fire data.
Things like ammo and rate of fire are pretty weird to see handled by the client and just lead to exploits like the ones that we've seen already.
Along with the types of hacks out there that abuse other things like talents to achieve unlimited ammo.
The only thing here I understand being client sided is positional data. Especially given that this is not a simple FPS game, but is really an MMO behind the scenes. Something people often don't think about is what all the server is actually doing. Most gamers that have no concept of how coding works or how networking works all assume and call this game an FPS and refuse to include the MMO part in the name when actually the game is definitely an MMO.
Just because you are running around solo does not mean you are not connected to a server that is processing data for thousands of other players. Things are being processed in the background constantly on The Divisions servers about you and other players. Be it simple movement data, to shooting and killing enemies. Every player also has their own instance of AI information that the server is handling with some client sided cooperation.
Never Trust The Client
This is one of the biggest things to remember though when developing an online game. (Or really online anything.) The client should never be trusted for information. Even down to the basic login information, the client is not trusted. That data may be stolen, or contain malicious code attempting at a blind SQL injection. The data coming from a client should be treated as third-party data and nothing more.
Generalizing things down, there are two models of networking when it comes to gaming. (I understand there are thousands of under-the-hood layers and such, but this is just a generalized overview of the up-front face value.)
- 1. Client Trusted Networking
2. Server Enforced Networking
The client basically tells the server what to do which ultimately can destroy a game overnight. In Phantasy Star Online's case, the PC version of the game never made it out of beta overseas in the eastern part of the world. The game was riddled with problems and never got to see the day of light under Sega's ruling. The community later revived the game and created private servers to be able to play cross-platform. And again in Terraria's case, playing on a stock server that has no protections implemented is ultimately a disaster waiting to happen. The networking is so poorly implemented, a single player can join a server and destroy the entire map in seconds. Other things such as killing players without being near them, killing players without pvp turned on, and so on just ruin the game. The community around Terraria came to the rescue and built a server plugin system that implements anti-cheat systems and preventions from allowing these things to happen. But again, the community fixed it, not the game developers.
In a server-enforced networking setup, the server dictates everything that happens and approves requests by clients. Games like Minecraft make use of this type of environment for networking. The client is merely a UI sitting on top of network code that makes requests to the server. The client reacts to the responses given back from the server. While this is a much more secure method of networking it does come with its own downsides too.
For one, lag is almost always a thing on a networking model like this. And the larger scale you go in terms of players, the larger the lag. Because the server is handling every single request from every single player, there is some processing lag on the server due to resource requirements. However, this is when multithreading really shines in a networking model. Another fault of this model with lag is the ability to flood a server with small tasks that eat up processing time and resources. Depending on how the game is coded, simple movements can be a request. Simply pressing 'W' to move forward on your keyboard can be a request to the server. When this is the case, spamming the movement keys can cause lag on the server when done in large groups of people.
Another concern is rubberbanding. Syncing data between the client and server to ensure a seemly gameplay is rough to do on a server-enforced environment. While you will be moving, you may "snap" back to a previous location due to server lag. Client lag can also play a factor into problems here. Your slow connection can lead to processing delay and jumps in data returned from the server causing you to wobble in-game between movements and actions. This is when client-prediction comes in and helps the server assume what is going to happen and process based on that assumption. This can greatly improve performance and has been a massive part of many games such as the Half Life series, Counter-Strike series, Team Fortress series and so on.
Meeting In The Middle
While both situations have their ups and downs, meeting somehwere in the middle is more than likely a favorable option. Extensive data that is important, critical, and sensitive should NEVER be trusted by the client. In an FPS game things like ammo, rate of fire, bullet percision and hit location should never be trusted from the client. In an MMORPG such as WoW, things like your gold, items and so on should never be trusted from the client. Things that are resource intensive should be placed in a less secure transmission system but still have checks and balances in place to help ensure things are not being abused.
In The Division, a lot of what they covered that is handled by the client shouldn't be. Especially when the game includes pvp gameplay. I will agree that player positioning shouldn't be on the server as this is massively resource intensive, but there should definitely be checks in place. Some things in mind would be:
- Player Positioning
- While movement data is client sided, it should be validated on the server to some degree.
- A player jumping large amounts of distance should be validated to be considered 'legit'.
- A player moving faster than possible by the games mechanics should be validated. (As it stands now only 1 thing in the game increases movement speed, and not by much.)
- Player Inventories / Items
- A players weapon ammo and RPM should NOT be on the client. Players being able to effectively edit their weapons is absurd to ever allow.
- A players talent calculations should not be handled on the client. Players being able to give themselves infinite ammo due to an exploit (within the client code) via a talent is absurd.
There is a huge difference between someone with a gun that is 3000 RPM vs. someone hacking with 9999 RPM. I'm sure the server can differentiate between who is the legit player and who isn't. Let alone the server knows everything the player has equipped, be it items, talents, buffs / debuffs, etc. It is impossible to say that the server can't make a valid and accurate calculation of what the players exact RPM should be compared to what it is currently.
As it stands now, this blog post basically confirms the problem people have with Ubi / Massive's handling of hackers. Unless you /report them, nothing is going to happen. They clearly don't look at their collected data otherwise. And to top that off, people that have been reported for hacking countless times, from WEEK 1 of the game are STILL running around the DZ hacking.
Let's not forget that the games CM Hamish Bode was on stream via Twitch and was in the DZ and was killed by a hacker. Guess what? That hacker is still running around the DZ playing. Surprise surprise...