from Hacker News

We outsmarted CSGO cheaters with IdentityLogger

by mobeigi on 10/16/24, 6:18 PM with 352 comments

  • by snarfy on 10/16/24, 7:21 PM

    For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.

    The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.

  • by voytec on 10/16/24, 7:10 PM

    Kudos to the author for using RFC5737[0] TEST-NET-2 address for:

    > An example of an IPv4 IP address is 198.51.100.1.

    [0] https://www.rfc-editor.org/rfc/rfc5737

  • by ZeroCool2u on 10/16/24, 7:08 PM

    Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.

  • by mobeigi on 10/16/24, 8:27 PM

    If the website is down or slow and you want to read the article, here is a full page screenshot of the post: https://i.imgur.com/SPp6IHX.jpeg

    Sorry :'( I didn't expect the post to get this much traffic.

  • by leetbulb on 10/16/24, 7:21 PM

    This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.

    IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.

  • by animal531 on 10/17/24, 11:58 AM

    Players from big countries often miss out on the sense of community that exist in smaller ones. When there are only 3-4 servers worth of people playing a game every day you quickly come to know them all, which really adds to the banter and sense of enjoyment.

  • by beeboobaa3 on 10/16/24, 7:10 PM

    > If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them

    This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.

  • by codefined on 10/16/24, 8:32 PM

    > I only shared the solution and technique with one other server operator I fully trusted based in the UK

    I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!

  • by precommunicator on 10/17/24, 7:07 AM

    > but the traffic itself was encrypted over HTTPS. This meant that even if one were to use a packet sniffing tool like Wireshark, you would not be able to find the raw token.

    It's trivial to decrypt HTTPS with tools like Fiddler or Burp Suite, assuming this build in browser used system proxy and system certificates list.

  • by latexr on 10/16/24, 7:16 PM

    > The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!

    I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.

    Doesn’t detract at all from your post. Fun read.

  • by LinuxAmbulance on 10/16/24, 7:16 PM

    Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.

    It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.

    Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.

    So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.

    It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.

  • by santialbo on 10/17/24, 7:23 AM

    Banning new Steam IDs on banned IPs seems too strict to me. Some ISP use CG-NAT or rotate IPs, meaning a single bad actor could harm many innocent players.

  • by rldjbpin on 10/17/24, 9:51 AM

    respect the ingenuity of the solution and how well it did.

    although it has to be said that we are better off without having vgui in the first place.

    this kind of sneaky tracking is so widespread today on the Web that it is nearly impossible to be bothered with evading it. whether it is the "wideport" or what extensions you use, you might as well use tails to surf the internet at that rate.

    but using a logical fallacy, to exploit for the better good does seem appealing.

  • by therein on 10/16/24, 7:06 PM

    I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.

  • by DanielHB on 10/17/24, 1:31 PM

    I want to share a story in a somewhat related topic:

    anti web-scraping techniques

    The most devious version I ever seen of this, I was baffled, astonished and completely helpless:

    This website I was trying to scrap generated a new font (as in a .woff file) on every request, the font had the position of the letters randomly moved around (for example, the 'J' would be in place of the 'F' character in the .woff and so on) and the text produced by the website would be encoded to match that specific font.

    So every time you loaded the website you got a completely different font with a completely different text, but for the user the text would look fine because the font mapped it to the original characters. If you tried to copy-and-paste the text from the website you would get some random garbled text.

    The only way I could think of to scrap that would have been to OCR the .woff font files, but OCR could easily prevent mass-scraping due to sheer processing costs.

  • by pingec on 10/17/24, 4:07 AM

    The idea of client-side "cookies" existed even before CS:GO. I remember in CS:S the server was able to change game variables set on the client. I wrote a script for a CS:S server that would fingerprint a cheater by setting an obscure game variable to a unique value and so being able to identify the player through that even if they had a different steam id and ip. It seemed to work well for a long time for getting rid of the most common cheaters but of course the most commited and capable ones with RE skills will always be ahead of the game.

  • by Omni5cience on 10/17/24, 1:16 AM

  • by avree on 10/16/24, 8:09 PM

    This link is 404ing for me. Anyone else?

  • by xyst on 10/17/24, 3:57 AM

    So adtech tracking techniques also work for fingerprinting ban evaders. Go figure.

  • by mlok on 10/17/24, 9:08 AM

    What about some sort of shadowbanning ? Or "shadowsegregating" : I mean if you detect and group cheaters so that they play with other cheaters ? Leaving normal players alone ? (I am not a player, I don't know how these multiplayer games work, I'm just wondering)

  • by Giorgi on 10/16/24, 7:05 PM

    Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.

  • by jeemusu on 10/17/24, 10:56 AM

    It feels like cheating as become endemic, every game I've played online in the last 2-3 years seems to be rampant with cheating. I don't remember it being this big of an issue 5-10 years ago, or maybe I was just ignorant to it? It's at the point now where I run into cheaters frequently enough that I find it hard to justify investing time into multiplayer games anymore.

    I can only assume the recent uptick is due to games adding tradable cosmetic items which has made it financially viable to cheat as most cheaters seem happy to drop a lot of money on cheats as well as $80 to re-buy a game once they eventually get banned.

  • by Joel_Mckay on 10/16/24, 7:43 PM

    In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.

    Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.

    Let the ban hammer fall =3

  • by ultimafan on 10/16/24, 8:07 PM

    Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.

    I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.

  • by lesuorac on 10/17/24, 12:49 PM

    Perhaps not applicable to a hidden web browser in counter strike but for public webpages you can apply the same fingerprint technique and only include the payload on _some_ page loads for non-fingerprinted users.

    Has a very nice advantage of if they go looking for fingerprinting they may or may not find it by random chance. It is security through obscurity but by making the bar higher for ban evasion you did actually remove a lot of people.

  • by ycombinatrix on 10/16/24, 7:18 PM

    >We Outsmarted CSGO Cheaters by Exploiting the Client

    Fixed

  • by kurtoid on 10/17/24, 3:50 PM

    I know there's a steam client setting now to clear the data of the overlay browser (either on exit, or manually? Can't remember) - does that affect the VGUI browser?

    I don't know about CS, but TF2 has the ability to disable server MOTDs - how does that affect this?

  • by spyder on 10/17/24, 5:00 AM

    At the part were he writes about the human analysis of game data, I thought the article would end up with training an AI or just statistical analysis on that data to identify players. That would have been a little more interesting (but harder to do) than exploiting the game.

  • by kjkjadksj on 10/16/24, 10:13 PM

    Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.

  • by rampajar on 10/17/24, 11:32 AM

    I always felt that valve didn't go far enough to prosecute cheaters (back in the day). I wonder if there are metrics out there for how effective methods like Overwatch actually were.

  • by robertlagrant on 10/17/24, 10:21 AM

    Would it be worth charging for CSGO? Or Counter-Strike 2, whatever the latest is? Because being banned by Steam ID might mean something if you have to pay $10 each time for the privilege.

  • by stevefan1999 on 10/17/24, 3:25 PM

    > I'm not being funny and I mean no disrespect.

    > But cheaters are cunts. They're cunts now, they've always been cunts.

    > And the only thing that's going to change is they're going to become bigger cunts.

    > Maybe have some more cunt kids.

    That statement is really shows how big of a dick you are, like come on man, it's just a game. Without learning game cheats and writing trojans and botnets since 14, although I'm kind of clean now, I wouldn't have mastered C++, C# and Java together and later get deep into computer science (and cybersecurity to some extent).

  • by lwansbrough on 10/16/24, 7:29 PM

    I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.

    We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!

    I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.

  • by suborange on 10/17/24, 5:47 AM

    a bit late to the party, but recently watched this video: https://www.youtube.com/watch?v=x-EbjGSRyKA

    Interested to hear thoughts on this level of both cheating and detecting cheats

  • by wnevets on 10/16/24, 7:49 PM

    I wonder what kind of theories these cheaters invented to explain how they were getting caught.

  • by devwastaken on 10/17/24, 5:22 PM

    banning by public IP is a rookie mistake. ISP will change their IP automatically over time, they charge extra for static IP. So what youre actually doing is banning anyone who ever receives that IP in the future.

  • by retentionissue on 10/17/24, 4:21 PM

    Catching/stopping people who want to cheat for profit is something I personally think is never going to happen.

    For a time, I would buy keys for CS:GO and different Steam accounts and use a subscription based cheat provider to provide me with ESP/chams on screen. I knew that overwatch/admins would be seeing the demos as the accounts were new Starting from unranked meant you would be under scrutiny already so I adjusted my playstyle.

    I learned not to linger around looking at walls. People's movement patterns and decision making eventually became predictable as I reviewed demos or learned in the middle of a match how players have habits and abused that information. I was able to determine when to throw a round away to avoid suspicion and deliberately ensured I had a string of 2/3 bad games every so often so my K/D wasn't insane. I never used any aim assists, spinbots etc., and I always, always communicated with my team through ingame VOIP (not giving cheat calls) and maintained a legit facade.

    I went undetected for nearly 2 years and sold hundreds of CS accounts successfully and made a tidy profit doing it. It's another string of the gaming industry that brings in money and it will never go away.

    I like to think of it as an online drug war, however insensitive that may seem.

  • by SirMaster on 10/17/24, 1:56 PM

    Seems trivially easy to hit their evade scenario though.

    If I merely change the mac address in the device connected to my cable modem, I get a new IP, every time. Combined with the fact that the game is free, so you can easily make new steam accounts.

  • by aftbit on 10/16/24, 7:15 PM

    >Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.

    Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.

  • by rashidae on 10/17/24, 8:47 AM

    I loved the idea!! How clever. Congrats on your accomplishment, I learned a lot from your approach. Thanks for sharing.

  • by Retr0id on 10/16/24, 7:30 PM

    > Wonderful, we have found a way to silently persist a cookie for each player as they join the server.

    This violates GDPR, no?

    Edit: It sounds like this took place before GDPR was being enforced.

  • by baruchthescribe on 10/17/24, 4:24 AM

    > M̶a̶y̶b̶e̶ ̶h̶a̶v̶e̶ ̶s̶o̶m̶e̶ ̶m̶o̶r̶e̶ ̶c̶u̶n̶t̶ ̶k̶i̶d̶s̶.̶

    He took that back. A very clever nod to In Bruges. Well played sir.

  • by Broge on 10/16/24, 7:00 PM

    Feels disgusting with the hidden fingerprinting but very technically impressive!

  • by Charon77 on 10/17/24, 3:13 AM

    I got 404

  • by runxel on 10/17/24, 9:04 AM

    Still doing IP bans in the year 2024? Lmao.

  • by beeboobaa3 on 10/16/24, 7:13 PM

    I hope they asked permissions for storing those cookies. Otherwise they're violating various EU laws.