How do anti-cheat plugins work

Discussion in 'Spigot Discussion' started by R3dThunderr, May 4, 2017.

  1. I'm wondering... how do anti-cheat plugins work? What kind of things do they look for? And how are they not incredibly intensive?

    (I understand bukkit api if that helps with the explanation)

  2. Because you're writing a hacked client? :D Just kidding!
    • Funny Funny x 2
  3. In a nutshell, they look for things you can't normally do in Minecraft and stop you from doing it and then from there its either punishing you, sending an alert to staff etc..
  4. Lol!! Making a server and want to either know how to they work, or write it myself
  5. It will be very code intensive to write one yourself (in my opinion), just get one that's out there ;) But it's always fun to experiment and see what you can do yourself.
    • Agree Agree x 1
  6. Short version first:

    They use all sorts of hooking points:
    • Packets (could be an extra machine or bungee-node).
    • Bukkit-API
    • obc/nms "server code"
    • (Command blocks : p - someone tried this once/twice for a vanilla server.)
    Typically not all can be interecepted/checked with the Bukkit-API so hooking to nms or packets will be necessary.

    Methods of anti cheating
    • Model allowed/legitimate behavior and detect deviation. In general the lasting kind of protection, despite clients adapting to it.
    • Detect specific client behavior or specific cheat implementations. This typically is bypassed very quickly with the next client version. It does allow banning, false positives would mean banning too then, and try to argue if they ban hundreds of players a day :). Banning is another topic though.

    • Closed source makes it more difficult to write cheats, so open source is bad. This certainly is an entirely negligible effect.
    • A high ban count is better. Maybe so, and it allows really doing something about the cheaters, but the used methods are bypassed the next hour/day, you don't have a guarantee that your tournament winner is 'clean', and who does the full time job of dealing with false positives - people just accept false bans nowadays? So this is not an indicator of a high level of protection, sadly.
    • Lots more.
    • Like Like x 2
  7. Coding time usually isn't the issue; testing is.
    • Agree Agree x 2
  8. I agree for the large part - ironing out false positives and bugs, but also even just reproducing false positives eats up much/most time, and the more popular your plugin is, the more time you spend with bug/issue reports and compatibility requests (, i.e. feature X of other plugin Y doesn't work with this anti cheat)..

    Concerning the coding part, there is some aspects that actually could take time - it's things like dealing with latency/lag/congestion for server/networking/client-sides, leading to building up your own frameworks for internal use. Implementing something like 'get a latency window/best-guess for 1.2 seconds ago', or 'has the player been on ground here somewhere between 0.1 and 1.2 seconds ago' :).

    One would do this to mitigate false positives, to be able to actually do more strict checking with lasting kind of methods. So investing into frameworks and abstractions (block shapes, past states/locations/latency/lag?) can use much more time for coding, typically suited for an open source project consisting of more than one developer.
    • Agree Agree x 1
  9. DanielNaaman


    Each one works differently, it has its own methods and tests to run so it can confirm that a player is indeed cheating.

    Technically it works with packets.. I'm not sure exaclty how but i'm positive that you can take a look at some open source anti cheats :)
  10. I tried to estimate a line count from GitHub, but it didn't seem consistent. You might be confronted with idk up to idk-90k lines of code, part of which is a 'carnival of sorts', parts of which are stuck in refactoring stages, due to not having more than one developer, while still trying to sketch out some parts of where we/someone could be going :p.

    It's still possible to get an idea of what some of the parts or checks are doing, some actual checks (NCPCore) are really simple by nature, others are probably difficult to overview - just ask if interested .
  11. xD