Tuesday, October 4, 2016

multiplayer - How to detect and prevent abuse (botting) of online game API?


I have been ocassionally working on a game idea in my free time. The gameplay and content renders it to be implemented as a online multiplayer game built with well established web technologies. You should know that it falls into the strategy and simulation genre. That means: No running around with characters or similar but only atomic actions (regarding client-server communication) like "build thing A on location X".


At one point I realized there is a huge problem: having a browser based front end relying on a REST API back end makes it a more than excellent target for bots. While automation is desireable for business it is poison to a game which is about fun. I experienced it first hand in a browser game in the past were the most successful players were bots which subdued everybody.


From my current point of view I do not see any possibility to protect against bots when building a multiplayer online game based on a REST API. Exception: Making it open source so everybody can host his own instance for private groups or even just oneself (to not get annoyed by jerks with bots).


Is there any way to differenciate between an honest player who just set an alarm for the next possible action and a bot automatically taking every chance on appearance of it? Besides such show stoppers like captchas. If not, I would think about another technology stack which makes it at least much harder to mess with client-server communication (proprietary encrypted binary protocol in a native code client).



Edit: Thank you, your answers are inspiring but also made me realize that specific countermeasures cannot be made by going further into details of the game. However, that would be too much for a question on Stack Exchange. So I just want to point out the most important points:



  • Players are exploring, developing and managing whenever they want to. Their businesses still run fine when they are offline (it is a peaceful game, no weapons involved). Only expansion and progress need the players action. Those actions are limited by:

  • time is one of the key resources (like in EVE Online skill training). All processes in game require it. There is no point in being online 24/7. The average player should be successful already with spending not more than an hour every day in one or two sessions (roughly, the concept is still in development).



Answer



If people want to bot, I don't think you can really stop them.


You can of course implement many measures that make botting more or less of a pain. But you can only do so much before your codebase turns into a gigantic mess that's hell to maintain, error prone, and annoys legitimate users. Meanwhile the botters will always find a way to defeat your countermeasures:



  • There's more of them than you


  • They have more free time on their hands (you have to split time between actual development and bot proofing, they can hack their bot code all day long)

  • As you create outlandish, challenging safeguards the bot authors will be further encouraged because it's fun to break your bot protection

  • If there is a black market of people commercially profiting from bots, the harder you make it to write a bot the more valuable working bots become, so you incentivize botting


You will basically be trapped in an arms race with the botters, and based on logic along the lines of the above points, as well as my experience with such games, you will not be able to keep up.


Some game developers employ extremely aggressive anti-cheating measures: For instance, Steam will scan memory and the file system to look for hacks, and offenders can be punished by losing accounts worth hundreds of dollars. Yet there are still bots and other hacks for Steam games, and some of them even work half the time. Unlike them, you have an API that's wide open to the user, and no control over the users computer. It's an uphill battle from the start.


The problem you are trying to solve is essentially a Turing test: Except it is a very easy Turing test, because you cannot cheat by requiring hard AI problems like language. No matter how many heuristics you create, it would be trivial for a botter to add a little randomness to the bot's action to have it mimic almost exactly a human. It wouldn't even be very hard to have the bot watch you play for a bit, and learn how to time actions exactly like you. Then when you ban the bot, the botter posts a huge rant on the forum about how he's just a dedicated player (and maybe he is actually a false positive) and your core audience of hardcore players will rise up in arms against you.


Make the game too fun to bot


The main reason someone uses a bot is because there is a part of the game they want to skip. If they enjoyed the game and found it fun, they wouldn't have the bot play it, they'd play it themselves.


But if the game is so boring, why play it at all? Presumably, some parts of the game are boring and mandatory to get to parts that are fun. For instance, in MMOs everyone loves going up a level, but nobody wants to kill 42,324 dire undead poison rats to get the XP. So they let the bot grind and drop in to play the fun part.



This is not a criticism of you or your game, but clearly at least some players find some parts of your game tedious. You should see if you can reduce these tedious parts, and look into adding more difficult, meaningful decisions: Bots aren't good at deep strategy or lateral thinking compared to human intelligence, and besides humans enjoy making difficult game decisions.


From your description, I get the impression that this is a browser game similar to Travian, where there is a build queue with a single best build order and certain "maintenance" (such as keeping farming raids going) tasks that must be done. You say there is no conflict, but in any MMO drama and petty politics is inevitable (IMO it's the main attraction) so I'm sure your players find ways to butt heads. With these sorts of games, a lot of the tedium comes from these "maintenance" tasks - what players really want to do is make alliances and play the diplomacy game with rival clans, the maintenance then becomes a sort of tax where you have to wake up to an alarm at odd hours to be allowed to get into that fun diplomatic part. So cut out the tedium: Automate boring things yourself (but maybe imperfectly to keep it interesting), so that players can focus on the parts they like.


This approach may not always work, unfortunately. Not all players have the same tolerance to tedium or the same concept of fun. You could have a prominent mechanic that 99% of your players enjoy, but the 1% find boring. What if the 1% then start writing bots, ruining the fun for the 99%? But ultimately, it is a matter of degree. You can never remove botting completely, but you can minimize the damage.


Undercut botters


A lot of the really negative effects of bots come from bot authors commercializing their work. If this is the case for you, you could simply compete with the bots. Many real-time based online games already have premium features that allow time-skipping and automation (such as extended build queues). These amount to a developer-sanctioned official bot. If you have these, and price them appropriately, players will buy your premium instead of buying bots. The good news is, you are in charge of the API, so you always have a strong advantage at developing quality automation for your own game, so this time it's a losing battle for botters.


This will not eliminate amateur botters, or people who feel that your premium is not good value for the money, so again the effectiveness of this approach depends on the situation.


Manually look for them


As I said above, what you are doing is essentially a Turing test. Since interaction with humans is famously considered a difficult Turing test challenge, you can try to leverage that.


Manually inspect top-level players and see if you find anything suspicious. You might even be able to get away with occasionally probe them in ways restricted only to your imagination, to see if you can trick the bot into doing something it wouldn't do.


While it is hard to write an algorithm that will detect bots reliably, it isn't so hard for a human to learn how to spot them. I think a lot of browser games use this strategy, and it can be pretty effective. The disadvantage is that either you need to do a lot of boring work all the time, or you need to pay game masters to do regular bot patrol.



No comments:

Post a Comment

Simple past, Present perfect Past perfect

Can you tell me which form of the following sentences is the correct one please? Imagine two friends discussing the gym... I was in a good s...