Ask HN: How to protect online games from bots?
Why would you? Bots are single player/novice content. In Fortnite you even start by playing against bots.
"When a new season kicks off, all Fortnite's player levels get reset and even the most experienced players encounter bots in the first matches. The number of bots you'll see in your games will decrease since the game can tell you're getting better, and you'll start getting in lobbies with almost no bots."
Did you perhaps mean Aimbots/Cheating? Admins are the answer, humans augmented by automated data analysis.
There are tons of Server side techniques. None of them perfect, but each one narrows attack surface. Check this whole channel out https://www.youtube.com/watch?v=cJLxXJ90lEE Main problem here is game server sending location data for all players in certain radius, even the ones not in the PVS (Potentially Visible Set). But watching this video you should immediately get some ideas for detection of bots/cheats - tracking player visibility, gaze and movement behavior server side. Someone consistently "spotting" enemies 600m away in a building, reacting to silent entities being spawned behind them, head/eyes shots thru foliage, etc.
By providing an official bot league.
Those who possess the expertize to program AI will be drawn to the challenge of fighting other such people's bots, and mostly leave the boring humans to play by themselves.
that's a billion dollar question.
mostly just varied statistical analysis methods.
concurrent play time, mouse clicks, jitter between clicks, viewport size, reaction to 'out-of-cycle' prompts or UI strings (like, say, a GM opening an inventory window on the player screen), click accuracy, click accuracy jitter, time between mouse points -- generally trying to determine whether or not the player actions look something like the player actions of a regular old user.
if your game is one that has an economy you can trace currency pathways and usually find bot-herders that are pooling resources.
some asian MMOs implemented in-game captcha-likes that bother players when they've spent a long time in a specific area (a likely bot condition). "Are you there? Finish this puzzle for a temporary XP boost!" -- the premise actually being "Hey, are you a human?"
training ML methods for this is pretty easy -- get a bunch of known legitimate players and record all the metrics around the ui/ux/input channels , look for similar behavior elsewhere -- when a very-fast or strange outlier appears then (preferably) prompt for a human GM to observer the player in question and perform judgement.
there's a surprisingly large amount of low hanging fruit before you even bother going to ML.
i've worked with a few asian MMO publishers, and before you dive into full on ML or start sending users' clipboard contents and bank website window captures to notoriously shitty and useless korean anticheat companies, there are some very big things you can do:
- count gains, portal entries, dungeon entries, etc, then sort descending. players that are gaining experience 24 hours a day, or gold 24 hours a day are rarely, if ever, legitimate.
- even if this does not entirely get rid of gold farmers, it causes interesting points where they are suspicious of whatever software they are using, rather than suspicious of the inhuman fact that they have not stopped attacking for 84 hours straight
- one lazy thing i've seen take down massive (warehouse-scale) gold farming bot operations is having the game send out broadcast discovery packets. these large scale operations are usually piles of optiplexes or similar on a flat network, and a discovery packet will be noticed by every other device running your game on the network. instant breaking through a different VPN per device, linking all accounts together.
- trace currency, and on top of that, trace timings. often, bots will do something like "farm until inventory full" and then transit back to trade it off, then return to the same map with incredibly tight timing.
the biggest problem you will have is that asian mmo companies don't give a fuck about anything other than their cash shop, and just slap on the cheapest, worst, most insecure malicious and privacy violating rootkit anticheat they can find as a bandaid while the underlying game code is incredibly vulnerable. writing a sql query is too much effort to care, same with having human review.
This is basically a book length topic to cover so you’re going to need to supply more detail. What kind of game, what kind of bots?
Create a game that is NP-hard to solve.
Require government ID to play? One per account.
my experience is that this actually does limit cheating, but it doesn't prevent it.
the sale of KSSNs, kids taking their parents to get more accounts to get banned, keylogged KSSN/accounts/compromised mobile phones with malware being used to receive verification sms (originating from downloading pirated games and pressing yes) is commonplace
there are numerous chinese sites where you can go buy a korean ssn-verified account for $1 or less, cheaper in bulk. they are rarely used for making a "main" because you are subject to lose them at any time to reverification, so they're largely used for throwaway activities.