Halo 3 Forum
This topic has moved here: Subject: Let's have some decent anti-modding/cheating mechanisms in plac...
  • Subject: Let's have some decent anti-modding/cheating mechanisms in plac...
Subject: Let's have some decent anti-modding/cheating mechanisms in plac...
  • gamertag: [none]
  • user homepage:

A Guide to Networking, Matchmaking, and Host in Halo (HBO mirror)

Bungie Friends and Family invitee, and sender of "random emails" about networking.

Cheating will always exist. That's pretty much a given. No matter how well designed and implemented any anti-cheating mechanisms are, someone will find a way to take advantage of it.

But there are ways to severely reduce these advantages.


Bungie are naturally not releasing the details on how Halo 2's anti-cheating code works - and with good reason - but it's fair to say that they're not particularly efficient; all you have to do is take the most recent figure for banned users, and divide it by the number of days the game has been on the market, to see that.

Now don't get me wrong; these are much better than nothing whatsoever, but they could be better.


So let's consider firstly, the main types of cheating out there:

* 1. Modified Content
* 2. Network Manipulation (Standby, Lagging out players, Bridging Host, etc)


Now let's consider what we know about the way Halo 2 deals with these

1. Modified Content

The banhammer detects the modified content quickly (supposedly instantly), and requests a ban via some subsystem that Microsoft/Bungie have developed, locking the gamertag out of matchmaking. The process takes time, presumably due to the way Xbox Live is designed (other bans such as modified Xbox BIOSes are picked up on instantly when you sign in, but it takes time for the xbox in question to be banned).

2. Network Manipulation

Presumably there's an algorithm in the banhammer that tries to watch out for weird networking issues, as well as what occurs during these interuptions (such as scoring a point etc). Bungie also have custom tools and likely additional data from the postgame reports that they can use too. When a cheater is flagged, they're locked out of matchmaking as above.


So what about the efficiency of these?

Well we know that modders are usually dealt within a fairly reasonable timeframe of a few hours, but it's certainly possible for them to play and win a lot of games, and artificially inflate a rank by a lot, before they get banned.

And with the network manipulation ... not so good. When was the last time you saw someone who blatently standbyed you get banned? For the vast majority, it's probably fair to assume that it was a while ago ... if ever.

So as I say above, they're better than nothing, but there could certainly be better.



Dealing with them

Modified Content is the easiest one to deal with, so let's handle that first.

Clearly the current Halo 2 system isn't fast enough; modders have plenty of time to ruin the experience for people, and boost players up. Now Bungie can't do much about the way Live's banning systems work, so for an instant solution, there's only really one way of doing it; getting the software itself to lock players out of matchmaking.

The solution is in two parts, both relatively simple:

* A. Ensure that modified content is immediately detected, without requiring the content to be loaded up in a game situation
* B. Ensure that a player cannot load modified content, and that there is no time span in which a player may do so.

Part A is simple. Use a strong HASH[1] to verify the files; unlike checksums, it is, to all intensive purposes[2], impossible to modify the file and get the same value. Now verifying the HASH of a large file takes time, but compromising security for speed is a stupid decision. You weaken security because of it, you risk undermining the entire system.

Ok, that's that; we can easily tell when a map is modified. Stopping that content from being used is also reasonably simple

Part B merely involves getting the software to prevent the map from being loaded. All the software needs to do is prevent any games from being played. That's it. Such a subsystem already exists in Halo 2, it just isn't tied in to modified content. So if the HASH fails, prevent any games from being started/played/joined until the content is fixed. Simple. No modding allowed. QED.



So that's one problem fixed, by applying a little understanding about basic cryptography, ensuring no compromised for speed over security, and by writing in a few subsystems to deal with modified content.



Now Network Manipulation is much much harder to detect. Especially when traffic congestion occurs, connections and packets can drop briefly, connections vary, etc etc. There are lots of variables that can affect a connection, many of them can also fluctuate at any given time.

However, there are still things that the netcode can look out for:

Standby:

When a player standbyes, his xbox cannot communicate with the outside world (i.e. the internet). He can't send any data to client xboxes, and he can't recieve any data in return.

Now Clients communicate with the host about 4 times a second. An update cycle is every 250ms. Now when the player standbyes, these can't be sent, and no data is incoming. Now a few cycles might be missed due to network congestion and packetloss, but if 4 or so are missed (1 second's worth of data), then there's either some severe problems with traffic, or the player is cheating.

So what do you do? Attempt to reconnect - if it's problems with traffic, it'll occur pretty much instantly. If the player is standbying, it won't occur for several seconds. And if it doesn't occur for several seconds, merely revert the game back to when the connection was lost, so the standbyer doesn't gain any advantage. Anything he does during that brief window is negated.

Finally, if a connection repeatedly drops, the player's either cheating, or the host isn't good, and neither are desireable. So switch the host to another player.

And if these are feasible, standbying is essentially useless, and it'd get the host switched out, so it couldn't repeatedly occur.



Now Bridging is a completely different thing. Some people have strict NAT settings, and incorrectly configured routers, which means that they can't always connect to people. Problem is, is that any code to catch bridgers would likely get innocent players as well; there's not much that can be done other than giving a player who can't connect to other players the benefit of the doubt. Perhaps scanning to see what % of players he/she cannot connect to (and if it's above an arbitary value, banning that player), but there's no easy way of discriminating between a bridger and someone with strict settings.

And with lagging players out, it's kind of the same. If a connection is lost between players (and if both players can still connect to live), it could be reported automatically, and monitored. And if a certain amount of connections have been lost, implement a ban.


So there you go. A few relatively simple ideas on how to improve the cheating situation. Modding is completely prevented, and the netcode is improved to drastically reduce the efficiency of standbying, and to swap the host out if problems repeatedly occur. And there's code to detect when the system is being manipulated in more subtle ways.

A long post, I know, so if you managed to read all this, good job. Care to leave some feedback too? ;-)




[1]An example would be the widely used and well known 128-bit MD5 algorithm.

[2] Winhex Manual on Hash Codes (Digests):

Digests

A so-called digest is, similar to a checksum, a characteristic number used for verification of data authenticity. But digests are more than that: digests are strong one-way hash codes.

It is computationally feasible to manipulate any data in such a way that its checksum remains unaffected. Verifying the checksum in such a case would lead to the assumption that the data has not been changed, although it has. Therefore, digests are used instead of checksums if malicious (i.e. not mere random) modifications to the original data are to be detected. It is computationally infeasible to find any data that corresponds to a given digest. It is even computationally infeasible to find two pieces of data that correspond to the same digest.



[Edited on 6/18/2006]

  • 06.18.2006 11:13 PM PDT

I want to start off by applauding you by taking time to post this, because rarely there is anyone out there who can interpret the situation as rationally as this.


Addressing your proposal towards using "software" to moderate modified content, is of course effective by theory alone, but I must disagree on the grounds of the similar activities of your proposed "software" to that of a malware.

What you should know already that Bungie already implements a code that checks certain parts of signed files. You already know that the banhammer file flags this and sends it off to B.net for review, however the question is that could they implement a more effective method?

In truth with accordance to Xbox Live's disclaimers that they may take information from your xbox without your consent. That is where the line ends. If you wish, you can confirm this by visiting xbox.com and seeing for yourself.
Your method asks for a "moderator software" to control the user's actions from the box and therefore filtering the strain of "hackerS", however this is not a case of competancy, but a case of the scope of the disclaimer. I stated earlier that your software bounds with malware for 2 reasons.

1. It executes itself.
2. The user has no control over the actions.

This is what we define as "malware" - comes in other forms as well such as Viruses, Worms, Trojans, Spyware, Macros, and such. I'm sure you understand the potentials and the risks now and why Bungie can't do this freely, I reiterate the Xbox Live Disclaimer.

The controversial issue here is the scope of the disclaimer. Firstly the disclaimer can only access data regarding the box and retrieve data relating to the subject. An example of this is Xbox Live's attempt at identifying modded xboxs. It does this by simply scanning the C Drive for the msdash.xbe file, and if it's not present along with the proper registers then it can be easily flagged as modded and the data is sent to Xbox Live for review in which the XBL Team would ban you from XBL, not the XBL Dash inside your box, but the Team.

This process mirrors the steps Bungie has taken to identify modified content. The Auto-Update (the specified file will not be mentioned) checks the E Drive for the downloaded maps.

~Beyond here is my own speculation, so don't hold this against me~

The AU comes with its own set of metadata that reflects unmodified data of the maps and matches that with the data of the maps. Then if the maps turn up different, then the AU recognizes this and flags the GamerTag and sends it off the B.net for review. Bungie bans you from Matchmaking, not the AU. I could think of other ways they check for modified content since the last one seems far'fetched by checking the encryptomatic signatures of the maps and matching that. Either way, the maps are matched for accuracy that I'm certain, but then again. The Signature algorithm is the same right? so technically local sources can duplicate that. Who knows?

~End Speculation~

In Analysis, the methods Bungie has taken to filter out the hackers from Matchmaking is within the scope of the Xbox Live Disclaimer. To add software that would act on its own is beyond the scope and thus, illegal.


For network manipulations such as Standby Button, and Bridging. Well - you covered most of it so I'm not objecting much. If you compare the loss/dropped packets, you can easily tell Standby Button activities and Lagging Host activities. Bridging is well...as you said it another story. I don't know much about abusing routers for that, but from Bungie's POV, the most they can do is monitor the flow of traffic (if they can get that info). It's not like they can tap the router and log the flow of ports, because a sure fact is that the designated packets are signed and encrypted, so I suppose Bungie can at least tell the flow of traffic from the transfer of packets from one user, to the host, to another user. I mean it's not like there's no checksums at time intervals.

I think the bottleneck for catching "Bridgers" is "privacy"

[Edited on 6/19/2006]

  • 06.18.2006 11:39 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Great work, i have friends who cheat useing the methods you listed.. and it sucks but i cant control what they want to do and im not going to stop being there friend because of it, the reason why they do it was because it was done to them.

To stop all of this happining bungie just need to add "dedicated servers" to the game that would make bungie the host of everygame or no one host at all, and with no Host how can host be minipulated to bridg and Team standby? Problem is i understand dedicated servers cost a bit.. i personly wouldnt mind paying a little extra on the rpice of halo3 to get dedicated servers even tho i have already paid for xboxlive and should get good qulity gaming.

  • 06.18.2006 11:56 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

It is efficent, it is just that they modified the HDD files to work that way...it was perfectly efficent. Why are you all so worried, no one has found a way to successfully put hacked content on a 360 anyways, they have made straight copies, which is all the firmware hack will do, but no modified games. They havent been able to hack the HDD either, as that also has MASSIVE locks both hardware and server side. Extremely good xbox hackers have said that you probably wont see anything other than a firmware hack, and that can be flashed and have integrioty tests used on it via xbox live. I dont think Cheating will be an issue.

Now lets say they do find a way to use modified content, it wont be hard to patch the game to work against it, this is next generation, it can be done much easier. A way you could do it, but would cause huge lag, is doing an integrity test against a straight copy of whatever content is trying to be used via the bungie and xbox live servers. You cant really prevent stand by, although, they can see that it is going on, which is why they have banned many people over it. Personally, I dont think we have anything to really worry about.

Also, it is nice to see that someone else who is posting it knows at least what they are talking about. Chances are though, that bungie has thought of all this already, they have world class network technitians at their disposal, so that is why I am not worried.

[Edited on 6/19/2006]

  • 06.19.2006 12:03 AM PDT

Being cool is a fulltime job...

good post, I cant say i understood some of the technical talk, but... good post! :)

  • 06.19.2006 12:04 AM PDT

Posted by: Optic Deception
It is efficent, it is just that they modified the HDD files to work that way...it was perfectly efficent. Why are you all so worried, no one has found a way to successfully put hacked content on a 360 anyways, they have made straight copies, which is all the firmware hack will do, but no modified games. They havent been able to hack the HDD either, as that also has MASSIVE locks.


Actually....if you wanna get in depth the X360 HD isn't locked. It never had a lock to begin with. The only way you can lock an HD is to assign it a code that can only be unlocked with a special code, the Xbox HD's worked out fine because each HD could only be used on its designated Xbox: Thank the EEPROM for that. But the X360 HD is sold separately, so how is it possible to lock it and have the X360 recognize it and unlock it? Quite possibly that in theory is reasonable if the X360 could do that, but the risk that runs with it is if the algorithm is discovered then potentially all X360 HD's can be hacked with no effort, and I'm sure MS won't like that. Also....

Posted by: Optic Deception
Personally, I dont think we have anything to really worry about.


One word >

Devil360

  • 06.19.2006 12:11 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Devil360 is obviously fake, even team xecuter signed them off saying it is obviously fake, they cant even keep a professional website. Also, content on the HDD is locked, it is all in .db files if you even wanna modify music, and last I checked, you cant get the .db files off, as well as the other content that is what I meant by locked, and the information on the content, is also stored in the .db files. I know what I am talking about, and I aint saying it is fully locked, but in reality, the content is locked down, just not with the HDD Keys and the locks you were used to in the last generation. Devil360 is fake either way, I have talked to Bunnie, he has even said he very much so doubts that it is real. If it was real, it isnt hard to do integrity tests on the content, a modchip wouldnt bypass serverside code, that is why you couldnt get online while having a modchip turned on in the last generation. Also, if they want to modify the content on the harddrive, it isnt hard to put the same signatures on that, if they do break it, it isnt hard to do integrity tests on it to ban them if the integrity proves wrong...they wont make an undectable one, because they cant controll the serverside stuff microsoft and bungie has, at the very least they could disable the console from connecting to live while the modchip is turned on. Thank you.

I would also like to add on, that the reason people can cheat in halo now is one reason. It is because they have either modified cache files or modified .map files from the expansion maps. Now the reason they can do this, is because there aren't integrity tests in place on the content, it would be hard to update, as Microsoft has said before in regaurds of the original xbox. It doesnt matter what you do to the hardware or software, the integrity test will always be there, and it will be there to ban if you fail it, and I dont think you will change the serverside code or core file anytime. I think Halo 3 will probably use this function, crippling cheating, really all there is to worry about is stand by and glitching. Feedback, and Bungie being able to tell if there is a stand by will fix this.

Now you may be saying, well if you have a modchip, you can get online because it will be burned on a disk. This is incorrect as well, the reason being is that the signature will still remain broken, and xbox live can detect that, it currently does, that is why the firmware hack is the way it is now, it is because it cant run broken signatures. So even if they do boot hacked content off a disk, they wont be able to connect to live, they would be banned because it would see the modchip, and the broken signature. Just because no modchips are out yet, doesnt mean xbox live doesnt have security.

[Edited on 6/19/2006]

  • 06.19.2006 12:41 AM PDT

I'm in the US Air Force stationed in Alaska. I've been chillin on bnet for nearly 5 years now.

A little bit extra? how about quadrupling the price of Xbox Live.

  • 06.19.2006 1:33 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Leave it up to Bungie. Once you get into anti-cheating discussion, people sart to personify their xbox and try to make it sound easy.

Ex: Make a program that looks at all their codes and stuff and if its different ban him.

Then you reply with:


Holy **** Batman, youve done it! You have found the solution to all cheating on xbox live, someone give this guy a metal.

My point being, the only people that can come up with real solutions, are the people making the game.

  • 06.19.2006 6:30 AM PDT
  • gamertag: [none]
  • user homepage:

A Guide to Networking, Matchmaking, and Host in Halo (HBO mirror)

Bungie Friends and Family invitee, and sender of "random emails" about networking.

Leave it up to Bungie. Once you get into anti-cheating discussion, people sart to personify their xbox and try to make it sound easy.

Naturally Bungie will know what can and can't be done with their code, but the fact is that attempting to verify the maps by means of a signature is insecure and is easily broken; evident from the fact that within a few weeks of the game coming out, the map format had already been cracked and partially reverse-engineered. If they actually used a secure method such as a HASH, which can't be spoofed to give the correct value, maps would be secure.

Ex: Make a program that looks at all their codes and stuff and if its different ban him.

Most of these kinds of suggestions are completely unrealistic, and are written with very little knowledge of the current system, and with little to no knowledge of important components of security and netcode.

My point being, the only people that can come up with real solutions, are the people making the game.

I'd have thought so too, but the fact that the solutions they came up with (using a map signature is again the best example here) aren't particularly good makes me wonder.

Addressing your proposal towards using "software" to moderate modified content, is of course effective by theory alone, but I must disagree on the grounds of the similar activities of your proposed "software" to that of a malware.

What you should know already that Bungie already implements a code that checks certain parts of signed files. You already know that the banhammer file flags this and sends it off to B.net for review, however the question is that could they implement a more effective method?

In truth with accordance to Xbox Live's disclaimers that they may take information from your xbox without your consent. That is where the line ends. If you wish, you can confirm this by visiting xbox.com and seeing for yourself.
Your method asks for a "moderator software" to control the user's actions from the box and therefore filtering the strain of "hackerS", however this is not a case of competancy, but a case of the scope of the disclaimer. I stated earlier that your software bounds with malware for 2 reasons.


Firstly the method I propose of locking a player out of matchmaking/online play via software wouldn't necessarily need to send details off to be effective; the only thing it needs to do is prevent a player from playing.

Secondly, I believe that the XBL ToU states that the ToS can be changed at any time, and by modifying the content you don't have a leg to stand on there.

Thirdly, the software would utilise the xbox live service and thus be able to collect information about your xbox and the data contained on it and send it off to Microsoft.

Forthly the notion that software preventing modified content from being used is illegal is just stupid ... like writing a piece of software and saying that it's illegal to prevent it from being reverse engineered.

Final point, the additional effectiveness comes from the fact that such blocking (in the same way that unsigned content won't load) happens instantly, and there's no wait for it to take effect. As well as the fact that it doesn't require a third party (such as Bungie) to take action. The maps are also more secure (hence more effective) because it uses a good security method.

  • 06.19.2006 8:48 AM PDT

Posted by: Optic Deception
Devil360 is obviously fake, even team xecuter signed them off saying it is obviously fake, they cant even keep a professional website. Also, content on the HDD is locked, it is all in .db files if you even wanna modify music, and last I checked, you cant get the .db files off, as well as the other content that is what I meant by locked, and the information on the content, is also stored in the .db files. I know what I am talking about, and I aint saying it is fully locked, but in reality, the content is locked down, just not with the HDD Keys and the locks you were used to in the last generation. Devil360 is fake either way, I have talked to Bunnie, he has even said he very much so doubts that it is real. If it was real, it isnt hard to do integrity tests on the content, a modchip wouldnt bypass serverside code, that is why you couldnt get online while having a modchip turned on in the last generation. Also, if they want to modify the content on the harddrive, it isnt hard to put the same signatures on that, if they do break it, it isnt hard to do integrity tests on it to ban them if the integrity proves wrong...they wont make an undectable one, because they cant controll the serverside stuff microsoft and bungie has, at the very least they could disable the console from connecting to live while the modchip is turned on. Thank you.

I would also like to add on, that the reason people can cheat in halo now is one reason. It is because they have either modified cache files or modified .map files from the expansion maps. Now the reason they can do this, is because there aren't integrity tests in place on the content, it would be hard to update, as Microsoft has said before in regaurds of the original xbox. It doesnt matter what you do to the hardware or software, the integrity test will always be there, and it will be there to ban if you fail it, and I dont think you will change the serverside code or core file anytime. I think Halo 3 will probably use this function, crippling cheating, really all there is to worry about is stand by and glitching. Feedback, and Bungie being able to tell if there is a stand by will fix this.

Now you may be saying, well if you have a modchip, you can get online because it will be burned on a disk. This is incorrect as well, the reason being is that the signature will still remain broken, and xbox live can detect that, it currently does, that is why the firmware hack is the way it is now, it is because it cant run broken signatures. So even if they do boot hacked content off a disk, they wont be able to connect to live, they would be banned because it would see the modchip, and the broken signature. Just because no modchips are out yet, doesnt mean xbox live doesnt have security.


Who knows if the Devil360 is fake, I'm trying to keep hopes up after that last scam by I.C.E.. Who knows for sure? I'll just leave that issue alone.

Being with the firmware hack, it's highly doubtful that anyone can get away on live with that for the obvious reason of what you stated also. MS can just patch that or order a failsafe. I wonder if MS could just update the sigs on the firmware each time one logs into live. Then that'd solve the problems.

The 360 is in a good position right now because the Dashboard can't be modded for now, and ususally that's how hackers cheat by softmodding and just FTP'ing the files to their HDD. If Halo 3 were to be released right now, then the cheating would be close to zero.

I'm wondering whether or not Bungie will use encryptomatic signatures to protect their files now, or they'll think of some other solution. Frankly, I hope they just leave it be and let the maps be accessible to us because well....I like having the Gravity Throne in MP and Asteroids falling from the sky in Ascension.

I would figure now that the new XBL or "updated' whatever could do more. But you gotta respect the end-user's privacy.

[Edited on 6/19/2006]

  • 06.19.2006 8:51 AM PDT

Posted by: One One Seven
Firstly the method I propose of locking a player out of matchmaking/online play via software wouldn't necessarily need to send details off to be effective; the only thing it needs to do is prevent a player from playing.


Well, my point still stands, the software is being used to "intentionally" prevent the player with modified content from signing on. The fact that unsigned maps can't be booted is a "coincidence " because the user broke the connection, and now it doesn't work. It's like cutting the water hose and expecting the water to run straight through. It doesn't and is completely unexpected to the user, sure Bungie may have "anticipated" that, but that's a stop error that prevents the user from loading unsigned maps.


Posted by: One One Seven
Secondly, I believe that the XBL ToU states that the ToS can be changed at any time, and by modifying the content you don't have a leg to stand on there.


Also I believe that even if someone has broken the XBL ToU by having modified content doesn't mean the user has forfeited all their rights to the service. They still have the right to privacy and fair use of the service. Just as a terrorist would still be entitled their constitutional rights no matter what. Sure the case for appeal may be slim, but they still have those rights.

Posted by: One One Seven
Thirdly, the software would utilise the xbox live service and thus be able to collect information about your xbox and the data contained on it and send it off to Microsoft.


I suppose XBL can do that, but that wouldn't be very different from their methods now, they still check HASH's and they check Xbox Kernals for "info". I don't think XBL would give a hand to Bungie in their anti-cheater crusade. The only thing XBL has done to prevent cheaters is the feed-back system and even that is flawed to a point. XBL has to get paid for their services too. Bungie with its limited rights can only ask and send info, not install a ware on your box that does it for them. If Bungie could do that, then why would they have the AU send the info off to the banhammer wait for review, when they could simply install the banhammer onto everyone's xbox and ban them house-warming'ly (I know that's not a word :) ) But again, that's violation of the user's privacy.

Posted by: One One Seven
Forthly the notion that software preventing modified content from being used is illegal is just stupid ... like writing a piece of software and saying that it's illegal to prevent it from being reverse engineered.


I guess, but you never know the wonders of programmers these days, Also corporations have patents that prevent products and softwares from being reverse engineered. Take Intel and AMD for example. Remember the Pentium III when it was in that thick black box? I'm sure you remember the issue there.

Posted by: One One Seven
Final point, the additional effectiveness comes from the fact that such blocking (in the same way that unsigned content won't load) happens instantly, and there's no wait for it to take effect. As well as the fact that it doesn't require a third party (such as Bungie) to take action. The maps are also more secure (hence more effective) because it uses a good security method.


The reason signatures work is because the user broke the signature and doesn't work. It's like breaking an xbox and expecting it to break. You break the process and it doesn't follow through. You know that would be a far more effective method than simply having moderator software to check the maps. If it could be perfected then the maps would be very well protected coincidentally, but then again if Bungie did that then I can't mod my maps anymore and that would be a shame.

P.S. - What time is it in UK?

[Edited on 6/19/2006]

  • 06.19.2006 9:09 AM PDT