Authoritative server security?

Question

I am trying to build a networking game with an authoritative server.

The problem is currently, I don't see how you could avoid client from instantiating object and calling RPCs. So any client can basically screw up the server and the other clients without any restriction.

Is there a solution? Is it normal that we have nothing to avoid this while all communications are supposed to pass by the server anyway?

Answer 1

Answer by 03gramat · Jan 15, 2015 at 02:13 PM

Heres a great tutorial on crating a basic authoritative server:

https://www.youtube.com/watch?v=QfzrpxO89tU

Add comment · Share

Answer 2

Answer by bugmagnet · Jan 15, 2015 at 04:19 PM

The solution is simple:

In the RPC check whether you are the server or the client. In calls where it is only the server who should be allowed to operate, simply return if the code is running on the client:

 [RPC]
 public void myServerOnlyMethod()
 {
 
   if (isServer())
   {
              //do a server only thing
   }
 
 }

 [RPC]
 public void myClientOnlyMethod()
 {
 
   if (isClient())
   {
              //do a client only thing
   }
 
 }

Add comment · Show 4 · Share

Ijatsu · Jan 18, 2015 at 11:39 PM 0

Share

Hello and thanks for taking time to answer.

I think you do not understand the security issue and you're being off topic, the problem is not to distinguish if you're the server or the client, nor avoiding the client from executing server side RPCs. Currently nothing prevents a malicious client from creating and destroying network objects, or from impersonating the server by calling client side RPCs. I'm also convinced that if you go deeper in the protocol designs you can see that you can do pretty much what you want on other clients and server as a client.

Remember this key phrase in security: never trust user's input.

bugmagnet · Jan 18, 2015 at 11:54 PM 0

Share

Well, my comment is assu$$anonymous$$g that you don't use any of the fancy auto-gameobject features that unity gives you. They are all poison imo. Just do straight up old school RPC's and data strea$$anonymous$$g and you will have total control.

Ijatsu · Jan 19, 2015 at 01:16 AM 0

Share

You don't use, but that doesn't mean a malicious client won't use them. AFAI$$anonymous$$ I've not seen any flag to disable those features. But yes I agree with you, they're poison.

bugmagnet · Jan 19, 2015 at 09:57 PM 0

Share

Well, I think there's at least 2 ways to keep that from happening:

1) they can't use them if they can't connect. If you put some kind of connection auth process it would be quite difficult to replicate it except for experts.

2) even if the attacker is able to instantiate something on the server, that 'thing' would be perfectly useless if you apply my original suggestion, or even something like: if (!networkView.is$$anonymous$$ine) Destroy(this);

Authoritative server security?

2 Replies

Your answer

Follow this Question

Related Questions