Antibot solution/controls on Ashes of Creation
AnalyserDmZ
Member
Hello, I am new to the community and probably my questions have already been replied on previous Discord messages or on Forum topics which I was not able to locate. In case there are relevant clarifications please link me the URL of those so I will not waste your time.
Just quick “Bio” of my-self so I can justify the points related to my questions and my ability to understand (at-least on high-level I hope) any relevant technical related answer can be found below:
My gaming experience:
I have been playing games for the past 13 years and I was initiated to MMORPGs at the age of 12 with LineAge2 (back on C3 era-patch). I have been playing several MMORPGs and I never enjoyed any other tittle that much as LineAge2 (that is why I am still playing it on private servers). During those years (since the release of C4 patch) I have played on numerous private servers and official NcSoft servers as well. The main issue that was always “killing” a server was the third-party tools or bots.
Please note that I have played several other genres and MMORPG tittles.
My understanding of InfoSec and bot software products:
Please note that my studies are on Computer Science and Information Security and for the past years till now I work as an Application Security Engineer. Thus, I hope I will be able to understand any relevant technicalities referenced in your answer.
In addition to the above, I have also created my own LineAge2 private servers and developed relevant anti-bot solutions for those servers (well those controls partially worked).
My questions:
Since LineAge2 and probably Ashes of Creation are based on similar “type of grind” (at least on my understanding – I have not played the game) , I would like to ask some questions related to the above issue and some clarifications to information that you have shared with the community.
As referenced on your wiki page and your interview with AsmonGold, Ashes of Creation will implement a behavior analysis anti-bot control/s in addition to EasyAntiCheat (since I do not have access to the game I base my hypothesis related to EasyAntiCheat usage on forum/support posts).
Based on my knowledge bots can “understand” the game world and relevant entities on it via the following methods:
1. Computer Vision/Image processing (e.g. usage of OpenCV library for the bot “to understand the game-world”)
A bot that makes use of computer vision algorithms cannot really include several functionalities and I would limit those to the following:
• NPC detection and gathering of relevant information such as it’s name
• Heath Points and Mana detection and monitoring (self)
• Heath Points detection and monitoring (NPC)
• Mouse and keyboard emulation
In my point of view, those kinds of bots would not be considered as harmful for the project, since a player could use them to kill mobs spawning near them on a really small area with a slow pace.
At least on my understanding, with the use of such a powerful engine such as Unreal Engine 4 you probably include much detail in order to “confuse” the relevant computer vision algorithms that could be used as a bot solution.
2. Direct Memory Access – (e.g. locating and reading values from memory addresses on which the game saves the
information and forwarding the values to the bot)
A bot that could read and write directly to the memory of the game could actually be coded to perform any action into the game-world.
For this type of “attacks”, you have implemented EasyAntiCheat as a security control.
What actually EasyAntiCheat does (on high-level not including all its functionalities of course) is via the usage of ObRegisterCallbacks intercepts API calls that grant access rights of a process to another process in order to identify and prohibit an application to read or right to the relevant memory sectors.
The current trend of bot developers is to create custom Drivers (which actually are the highest in the “hierarchy of a computer”) and integrating the bot to those drivers. Of course, EasyAntiCheat has several features that prohibit the usage of such drivers (e.g. do not allow the game to run while unsinged drivers are present) but bot developers are known leverage vulnerabilities of known and trusted drivers in order to hook their bot software product.
In addition to the above, there are several methods to bypass ObRegisterCallbacks and EasyAntiCheat(e.g. elevation, lsass.exe). Thus, there will never be a “complete” solution in order to “fight” bots from reading directly into the memory and only behavior analysis could get close to that.
3. Code Injection – (e.g. changing the game binary or injecting an external DLL into the game binary)
As stated above, for this type of “attacks”, you have implemented EasyAntiCheat as a security control.
EasyAntiCheat is known to implement several anti-injection controls to the game in addition to direct memory access controls (in order for a bot developer to understand the game-world and script the relevant functionality access to memory will probably be required).
What additional controls have you implemented in order to “incommode” the bot developers from code injections? – Will you obfuscate the game assembly with a hard to reverse obfuscator or there are performance issues that arise in case of obfuscation?
4. NetCode – (e.g. intercepting and then analyzing the network data stream between the client and the server)
I am not going to list the technics (e.g. reversing the netcode, custom winsock service provider) with which a malicious user could intercept and analyze the traffic and create a bot software since I am pretty sure you are aware of those.
I would like to ask if you are going to implement some kind of controls relevant to this point (except encryption of course)?
Behavior analysis:
On my understanding (as described above), the only feasible way to “fight” against bot software is via the behavior analysis.
Based on your interview with AsmonGold and your wiki page you will or have developed several behavior analysis algorithms in order to identify probable gold-sellers and gold-buyers (real money trading).
On your interview you mentioned metrics related to current player gold, in-game trades etc.
Are there any algorithms that will be developed in order to identify (behaviorally) bot players and not only RTM abusers?
Just a clarification, I am not referring to metrics such as x types of mobs killed by character in a specific timeframe, but for more advanced solutions such as the below:
o Traffic Analysis including the below points or several other:
• Command timing
• Regularity tests
• Magnitude of Traffic Burstiness
• Reaction to Network Conditions
I will not analyze the above-mentioned techniques or ways that those could be implemented to any game, since this is a public forum and could be possibly be accessed by bot developers.
Lastly, will you perform any type of penetration test in order to validate that your controls against bots are not easy to by-pass and enhance those controls?
I would gladly provide a more in-depth analysis and some of my ideas in a more private environment or even in this thread (in case you have no issue with that).
PS: I am sorry for the long post, but I really want this game to succeed and not get ruined by bots. Sorry for any technical inaccuracy that may be included into my post, but I had limited time in order to write this post.
PS2: I am sorry for the terrible lay out, but the forum editor (based on BBCode) is not the best available.
Just quick “Bio” of my-self so I can justify the points related to my questions and my ability to understand (at-least on high-level I hope) any relevant technical related answer can be found below:
My gaming experience:
I have been playing games for the past 13 years and I was initiated to MMORPGs at the age of 12 with LineAge2 (back on C3 era-patch). I have been playing several MMORPGs and I never enjoyed any other tittle that much as LineAge2 (that is why I am still playing it on private servers). During those years (since the release of C4 patch) I have played on numerous private servers and official NcSoft servers as well. The main issue that was always “killing” a server was the third-party tools or bots.
Please note that I have played several other genres and MMORPG tittles.
My understanding of InfoSec and bot software products:
Please note that my studies are on Computer Science and Information Security and for the past years till now I work as an Application Security Engineer. Thus, I hope I will be able to understand any relevant technicalities referenced in your answer.
In addition to the above, I have also created my own LineAge2 private servers and developed relevant anti-bot solutions for those servers (well those controls partially worked).
My questions:
Since LineAge2 and probably Ashes of Creation are based on similar “type of grind” (at least on my understanding – I have not played the game) , I would like to ask some questions related to the above issue and some clarifications to information that you have shared with the community.
As referenced on your wiki page and your interview with AsmonGold, Ashes of Creation will implement a behavior analysis anti-bot control/s in addition to EasyAntiCheat (since I do not have access to the game I base my hypothesis related to EasyAntiCheat usage on forum/support posts).
Based on my knowledge bots can “understand” the game world and relevant entities on it via the following methods:
1. Computer Vision/Image processing (e.g. usage of OpenCV library for the bot “to understand the game-world”)
A bot that makes use of computer vision algorithms cannot really include several functionalities and I would limit those to the following:
• NPC detection and gathering of relevant information such as it’s name
• Heath Points and Mana detection and monitoring (self)
• Heath Points detection and monitoring (NPC)
• Mouse and keyboard emulation
In my point of view, those kinds of bots would not be considered as harmful for the project, since a player could use them to kill mobs spawning near them on a really small area with a slow pace.
At least on my understanding, with the use of such a powerful engine such as Unreal Engine 4 you probably include much detail in order to “confuse” the relevant computer vision algorithms that could be used as a bot solution.
2. Direct Memory Access – (e.g. locating and reading values from memory addresses on which the game saves the
information and forwarding the values to the bot)
A bot that could read and write directly to the memory of the game could actually be coded to perform any action into the game-world.
For this type of “attacks”, you have implemented EasyAntiCheat as a security control.
What actually EasyAntiCheat does (on high-level not including all its functionalities of course) is via the usage of ObRegisterCallbacks intercepts API calls that grant access rights of a process to another process in order to identify and prohibit an application to read or right to the relevant memory sectors.
The current trend of bot developers is to create custom Drivers (which actually are the highest in the “hierarchy of a computer”) and integrating the bot to those drivers. Of course, EasyAntiCheat has several features that prohibit the usage of such drivers (e.g. do not allow the game to run while unsinged drivers are present) but bot developers are known leverage vulnerabilities of known and trusted drivers in order to hook their bot software product.
In addition to the above, there are several methods to bypass ObRegisterCallbacks and EasyAntiCheat(e.g. elevation, lsass.exe). Thus, there will never be a “complete” solution in order to “fight” bots from reading directly into the memory and only behavior analysis could get close to that.
3. Code Injection – (e.g. changing the game binary or injecting an external DLL into the game binary)
As stated above, for this type of “attacks”, you have implemented EasyAntiCheat as a security control.
EasyAntiCheat is known to implement several anti-injection controls to the game in addition to direct memory access controls (in order for a bot developer to understand the game-world and script the relevant functionality access to memory will probably be required).
What additional controls have you implemented in order to “incommode” the bot developers from code injections? – Will you obfuscate the game assembly with a hard to reverse obfuscator or there are performance issues that arise in case of obfuscation?
4. NetCode – (e.g. intercepting and then analyzing the network data stream between the client and the server)
I am not going to list the technics (e.g. reversing the netcode, custom winsock service provider) with which a malicious user could intercept and analyze the traffic and create a bot software since I am pretty sure you are aware of those.
I would like to ask if you are going to implement some kind of controls relevant to this point (except encryption of course)?
Behavior analysis:
On my understanding (as described above), the only feasible way to “fight” against bot software is via the behavior analysis.
Based on your interview with AsmonGold and your wiki page you will or have developed several behavior analysis algorithms in order to identify probable gold-sellers and gold-buyers (real money trading).
On your interview you mentioned metrics related to current player gold, in-game trades etc.
Are there any algorithms that will be developed in order to identify (behaviorally) bot players and not only RTM abusers?
Just a clarification, I am not referring to metrics such as x types of mobs killed by character in a specific timeframe, but for more advanced solutions such as the below:
o Traffic Analysis including the below points or several other:
• Command timing
• Regularity tests
• Magnitude of Traffic Burstiness
• Reaction to Network Conditions
I will not analyze the above-mentioned techniques or ways that those could be implemented to any game, since this is a public forum and could be possibly be accessed by bot developers.
Lastly, will you perform any type of penetration test in order to validate that your controls against bots are not easy to by-pass and enhance those controls?
I would gladly provide a more in-depth analysis and some of my ideas in a more private environment or even in this thread (in case you have no issue with that).
PS: I am sorry for the long post, but I really want this game to succeed and not get ruined by bots. Sorry for any technical inaccuracy that may be included into my post, but I had limited time in order to write this post.
PS2: I am sorry for the terrible lay out, but the forum editor (based on BBCode) is not the best available.
1
Comments
That said, there is one point I would like to address:
No, you "fight" bots by reducing the demand for them through fair gameplay mechanics. The reason why bots became such a huge problem in WoW Classic is because the game is so punishing when it comes to endgame grinding. In order to do effective end-game raiding you need to grind so many mats and so much gold that it effectively becomes a second job, a job that nobody wants to do because of how painful and boring it is. So if you want to raid but don't physically have 8+ hours a day to grind for all the mats and gold you need for it, you use a bot that does it for you while you sleep. Easy.
Remove the need for such ridiculous amounts of grinding and you immediately reduce the number of people using bots. Now of course you won't get rid of the bots entirely, no matter what security measures you implement. There will always be people out there who will do anything to cheat or gain an advantage at a game. However, you want to make it so that 90% of players don't feel the need to use cheats or bots or scripts in their day-to-day gameplay.
The fact that you work in IT security and expect them to answer this worries me greatly for the security of the firm you work for.
Im not sure if i agree with you. There will always people who grind a lot (and the "need" for grind is not really removeable, unless you want to hand out max gear to everyone, regardless of effort). Thus, if you want to compete at a decent level, you also need to grind. Therefore botting will always be a porblem if you have free trading, regardless of your gameplay. The only way to remove them is by detecting and banning them (either by behavior, or by a anti cheat tool, which needs to be installed together with the game)
Hello,
About the first part of your reply (“I doubt Intrepid will give us any information regarding how their security systems work (that would just be silly), so we'll just have to see what happens.”)
As I already replied I did not request the developers of the team behind the game to provide any insights related to the implementation of security controls against bot software but just asked if they will develop such controls and just highlighted some of my concerns related to the effectiveness of some of the techniques used for such security controls.
The intention of this post is to highlight the possible issues that may arise, stress out the importance of the anti-bot solution and provide some ideas that the development team may have not had in mind.
“No, you "fight" bots by reducing the demand for them through fair gameplay mechanics. The reason why bots became such a huge problem in WoW Classic is because the game is so punishing when it comes to endgame grinding. In order to do effective end-game raiding you need to grind so many mats and so much gold that it effectively becomes a second job, a job that nobody wants to do because of how painful and boring it is. So if you want to raid but don't physically have 8+ hours a day to grind for all the mats and gold you need for it, you use a bot that does it for you while you sleep. Easy.
Remove the need for such ridiculous amounts of grinding and you immediately reduce the number of people using bots. Now of course you won't get rid of the bots entirely, no matter what security measures you implement. There will always be people out there who will do anything to cheat or gain an advantage at a game. However, you want to make it so that 90% of players don't feel the need to use cheats or bots or scripts in their day-to-day gameplay.”
On my point of view most of the games and especially MMO-RPGs need to have “sense of progress”. I will not really write down why I believe this is important, but I could try to express my view on that if you would like.
Now let’s focus on your example WoW Classic. As you correctly mentioned on WoW classic you are required to “waste” your time gathering materials for pots and acquiring world buffs in order to participate in a raid group. The above is a game design flaw that was not present back in the days since there was not so much competition around the “top DPS on X raid by X class” etc.
In addition, the above, WoW classic does not provide any other means to gear your character (with Best in Slot items) except Raids, thus making it the only viable path for an end-game character. All of the above, in my point of view are game design flaws and bots would still exist even those were “fixed”.
But let’s focus on your solution “Remove the need for such ridiculous amounts of grinding and you immediately reduce the number of people using bots.”.
Please note that every MMO (Ashes of Creation included) has an economy system and relevant market. In order to remove the bots based on your proposed solution, you will have to make most of the in-game items non-tradable or “very easy to get” thus making the economy system and relevant market non-existent or minimizing the sense of progress since everyone will be able to have their best in slot (BiS) item/cosmetic/ etc.
Since I do not have access to the game I can just reference some of the features that could act as “reasons” for someone to bot for the currency on Ashes of Creation (please not this list is just indicative):
• Player Housing – real estate and relevant character benefits
• Caravans – why would you waste your time if resources have no value?
• Economic node elections – “Economic node governments are able to be bought and sold by citizens with the most money”
I can provide more points and examples if requested.
Hello there,
For starters thank you for your non-constructive feedback and for your concerns regarding the information security assurance level of the firm that employees me.
But since you are probably a security professional (based on the fact that you “know so much about InfoSec”), I will try to reply in a constructive way.
Let’s start with the basics, I did not request the developers of the team behind the game to provide any insights related to the implementation of security controls against bot software but just asked if they will develop such controls and just highlighted some of my concerns related to the effectiveness of some of the techniques used for such security controls.
Since you are a security expert you probably already know that information security is based on frameworks, guidelines and best practices in order to guarantee the effectiveness of the controls securing an information asset or system. An example of a framework is PCI-DSS and OWASP best practices and relevant projects/tools.
Those frameworks, guidelines and best practices are available to the public because there are considered as the most optimal “way” to deploy/configure/implement/develop a security control.
So, developing security controls based on best practices is not something new to information security sector or software development sector.
Based on the above, developers use known techniques in order to develop a security controls even for a game and they just adjust/modify the “detection patterns” and relevant thresholds to their environment (game world).
Please note again that I did not ask the development team to reference any technicalities related to the implementation of those security controls. Thus the intention of this post is to highlight the possible issues that may arise, stress out the importance of the anti-bot solution, provide some ideas that the development team may have not had in mind.
Now let’s discuss about the other part of your reply:
“No developer worth a damn will tell a random chap on the internet about the security measures they put in place.”
Information Security measures refers to the steps taken to eliminate or minimize the risks of information security threats.
I will just reference the first firm coming to my mind (with which you are probably familiar as well) Microsoft. You can easily browse Microsoft’s techcommunity and MSDN in order to verify that they include the security measure adapted on their products and services. Lastly, you could also browse Microsoft’s docs (well yeah, a sample was on my initial post that you did not read right?) that include relevant technicalities about those controls as well.
PS: I did not register on this forum in order to participate in keyboard fights.
Two key statements from Steven that you should be aware of, I can't be bothered getting you links, find them yourself.
The first is that they will not talk about the in game security measures they are planning and/or implementing. At all. With anyone. If you want to know more about them, get a job at Intrepid.
Second, Steven has said he doesn't really care what we think, and will develop the game he wants to develop, whether we like that or not. This means that "keyboard fights" are about all the forums are good for.
There were already some changes because we didnt like some stuff. The newest one was the animation of the fireball skill.
That isn't exactly a material change.
Much like me, when Steven talks about game design he is not talking about some bullshit animation on some spell that isn't even made yet, he is talking about the actual game mechanics.
Well based on your statement you joined the forum in order to become a keyboard warrior then?
I joined this forum because I am a fan of MMO-RPGs and I would like this really promising game to succeed so I can have fun playing a game I like.
I am not really sure why people are hostile to a new member taking his time to write his view and trying to suggest/discuss features about a game in which we will all play.
I was not aware that there was so much toxicity on this forum...
This game will succeed or fail based on Intrepids decisions, not on any input you think you are having.
Keep in mind, while Intrepid is somewhat of an indy developer, this game still has tens of millions of dollars funding it, as well as a combined several centuries of MMO development experience among it's staff.
Make the assumption that they know what they are doing better than you know what they are doing.
So, we should ignore all player feedback and cancel the forums?
Because Intrepid is already on it's path of destiny??
I am 100% sure nobody wants to see bots when Ashes launches.
Therefore, the topic is worthy of discussion ... and I'm sure most will appreciate the OP bringing it up (even with the high likelihood that Intrepid isn't able to disclose their planned anti-botting measures).
As you say, everyone is against bots in MMO's, which means this discussion would essentially be everyone saying the exact same thing - that they don't want bots, and that part of keeping bots out of the game is Intrepid not telling anyone anything about the measures they have to keep them out.
That seems to me to be a discussion that isn't really worth having.
However, even in discussions that absolutely are worth having, that discussion is between us potential players of the game, not between us and the developers of the game.
If you are posting on these forums with the intention of having Intrepid actually listen to you, then yeah, you may as well delete your forum account.
On the other hand, if you want to discuss your hobby with others that share that same hobby, talk about theory both in MMO's in general and more specifically as those theories may pertain to Ashes, and occasionally get involved in a bit of banter based entertainment, then this is probably the best place for you.
I'm not saying get rid of the grind completely, but Classic WoW (the maybe Lineage 2 as well, I don't know I never played it) went to the extreme with the grinding required to raid. We're not even talking optional grinding here either. We're talking, if you want to raid at all, you need to get a certain amount of gold and/or materials each week for raiding. There are few people with the time or inclination to do the amount of grinding legitimately so they resort to buying gold from gold sellers, or using bots themselves to farm the gold/mats.
Most mmorpg players understand and accept a certain amount of grinding, but there comes a time when it is just too much and they can't be bothered, so they cheat. On top of this, once a large chunk of players start using bots, the rest feel forced to use them too just to keep up - "they are doing it, so I might as well do it too"
If someone wants to raid, they should have very little in terms of time requirements other than being online while their guild is raiding. If the developers want raiding to be a time consuming activity, then take up that time with raiding - the thing the players involved actually want to do - rather than other aspects of the game.
This is one of the things I enjoyed the most in EQ2. The people in my guild were able to function perfectly well if they only ever logged on for raids, and literally didn't even play the game outside of those set times (as long as they had done the foundation work of leveling up, have done required quests and such). Sure, raiding itself took longer than it does in many other games - but at least raiding is fun to the people that enjoy raiding.
What this meant is that the bulk of players in the guild would log on outside of raid times simply to have fun and enjoy the game, and their friends.
This kind of design does more to reduce botting in games than any amount of invasive anti-cheat software could ever do.
Best way to fight with that I have seen is just at least mediocre support and effective ban hammer - you don't have to catch them all, just let them know that being caught is pita. Link account with authorized payment or 2FA with cell, and gold sellers just won't bother botting.
Reaching some meaningful level for bot farming will take few weeks, which is already sub fees and time invest, +new phone number cost, +fake payment creds - and the chances to get a payback on this diminishing drastically.
I know - sounds like China, but yet effective : D
Funny, but true!
It always makes me sigh when I see another thread saying: "My feedback for the developers". I don't recall seeing a Staff comment in any of them!
There are quite a few staff responses (mostly Toast, but shes the one who is the connection between devs and community). So its not like these posts arent taken to the devs at all.
She's not a developer or a designer. And just cos she's seeing them doesn't mean they're being passed downwards to the developers or designers. (Yes, downwards, that's right.)
And she does do a great job with us weirdos chatting crap all day, but have a look back through some of the "look at me devs look at me" threads, and see how many have the [Staff] label. It's not worth her time getting involved in those!
Hello,
“There is always toxicity towards people that come on to a game forum and instantly think they are so special that the game could only be made it's best with their input.”
Well actually I did not even provide a solution just wrote my thoughts about a subject and shared it with the community in order to stress out an issue that may arise.
In addition, I am not the one who thinks he is “special” but probably you, since you are so obsessed with the developers replying to a thread.
“Keep in mind, while Intrepid is somewhat of an indy developer, this game still has tens of millions of dollars funding it, as well as a combined several centuries of MMO development experience among it's staff.
Make the assumption that they know what they are doing better than you know what they are doing.”
The only reason that I spent my time writing this thread was because I believe that Intrepid has a great team, I never mentioned the opposite.
On my career in information security, I have provided my consulting and engineering services to public sector, banking sector and enterprise. Let me highlight that most of those clients have billions in net worth and in-house information security departments but still buy consulting and information security services from other firms. But why does this happen?
The answer is straight forward, because it is not their field of expertise (just to clarify antibot solutions for games are not my field of expertise as well but just a hobby I developed and I never claimed I am a Subject Matter Expert).
You can validate the above point by just thinking how many of the games you have played are using third party anti-bot engines such as Easy Anti-Cheat.
So, you can re-read my post about the usage of such third-party anti-bot solutions known issues and why I highlight that a behavior analysis (based on the specific game-world) could be more effective.
I never claimed that I know better than Intrepid, I just wrote my thoughts in order to stress out “a well-known” issue in gaming industry and MMO-RPGs.
Lastly, since you know it all, most of Fortune 500 firms have several bug bounties programs that anyone can participate and present any information security issues identified (mostly technical wise). Or even executives (mostly CISOs) of Fortune 500 firms create open source projects related to information security that anyone can participate and provide their input, you can google about OWASP SAMM or DefectDojo.
Hey,
That is actually the model that blizzard partially follows.
It helps as a preventive measure but mostly applies to individual users that use bots in order to acquire gear and not to people that actually sell the in-game currency or items for real currency.
There are several individuals that provide phone numbers and credit cards (mostly hacked) for some dollars or even cents. Groups that base their income such activities already use such solutions.
Well the part about the “meaningful level to bot” is pretty straight forward and that could be effective if you can identify the high-level bots. The issue is how will you identify those bots.
And how many of those have engaged in public discourse about those measures?
Hello again,
I can read my reply towards user Warth on the same thread.
I'm glad you can read what you've written. I got up to you complaining about non-consteuctive criticism and stopped.
Feel free to answer my question - in your experience, do companies talk about their security procedures in public?