Why is it not more common to implement anti-cheat on the server instead of the client? Is that not more secure? Couldn't the server just check what vision a player should have and not provide any other information to prevent wallhacks or maphacks? Or check how fast it is possible to move to prevent speedhacks? Aimbot is a bit harder to detect I guess but what about the other ones?
A lot of people in this thread are probably going to explain to you all the reasons why it's necessary to do anti-cheat on the client.
And they'll be correct that it's not really reasonable to expect a system where data is sent to the client only when it's needed to render (in order to prevent things like x-ray vision and such) to be performant. (At least not in the most common and general case today, but more on that later in the comment here.)
All that said, I very much believe that a lot of folks don't suffifiently consider alternatives to client-side anti-cheating rootkits.
And this is all going to be a hot take, so strap in.
First off, an option that I've heard of is to require the client to send not just data like "my avatar moved to location X,Y,Z and has this velocity in this direction and etc etc etc" but also exact, specific keyboard and mouse inputs with timestamps. Then the server can a) validate that the given inputs at exactly the reported times produce the same location and velocity (this may involve running a copy of some portion of the client code on the server) and b) do better heuristic analysis on the inputs to detect things like aimbots more accurately. That would take more CPU on the server side, but it would go a long way toward making client-side anti-cheat rootkits less necessary.
But aside from that if a tabletop boardgame brought out the worst folks who played it and made it easy to cheat to the point that the game had a bad reputation, that would reflect poorly on the game designers' ability to create fun games with mechanics that ensure everyone has fun, right?
So I have to wonder when a video game has either rampant problems with cheating or a draconian rootkit to lock down the client's whole computer, how is it that people don't ever consider that the video game designers should have put more thought into how to change the mechanics, incentives, or other design aspects of the game to avoid those issues.
A quick anecdote. There's an open source Minecraft clone called "Minetest". A handful of years ago, the developers announced they were adding client-side scripting to it. A lot of the players lost their absolute shit. "How can you encourage cheating like this?" And the developers were like "a) there are already scriptable clients in the wild modified by third parties so us not adding this feature won't solve anything and b) things like x-ray vision are better solved on the server by, for instance, not telling the client which nodes are ore nodes until one face of the node is exposed - there's already server-side scripting that can be used to do that." Unfortunately the very vocal anti-client-scripting crowd won that argument just by being really loud and pitching hissy fits and the client-side scripting the developers added ended up pretty useless. (And keep in mind this even keeps single-player games from accessing the features offered by the client-side scripting effort.) And again, scriptable clients already existed in the wild.
Now, it's really hard to come up with game design principles that would deincentivise all cheating in all genres of games. But just a few ideas:
What if there was an FPS that just gave every player x-ray vision to level the playing field for everyone?
What if you made scripting the client to make grinding or aim bots a feature rather than trying to prevent that, but required that all bots play only on bot-allowed servers? Even if that couldn't be perfectly enforced, I'd guess it would reduce the incentive to try to play unfairly with client scripting. (Plus if there's a built-in client scripting system that reports what it's doing, or for some architectural reason has to report what it's doing to the server, it's probably going to deincentivise hacked clients.)
Not all game designs can get away with not sending data to the client until the client needs to render it to avoid x-ray hacks, but you could certainly design a (fun) game that did allow for some version of something close to that. A team v. team FPS game where the entire map is divided in half with a big opaque wall that disappears two minutes into the match whereafter basically has line of sight to everyone else for the rest of the match. You could not send player location data for the other team's players until the wall disappeared.
Make the games player vs NPCs rather than players vs players and predefine the NPCs' paths.
I mentioned the Minetest "don't tell the client which blocks are ore until a face is exposed" thing above.
Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players' server.
(I'd list some more ideas here but it's 2:00am and I really should sleep. Lol. Maybe I'll see if I can come up with more tomorrow.)
Aside from that, I'll say that, for all the talk about how server-side anti-cheat can't really work well, I'd have to submit that... client-side anti-cheat doesn't really work that well either. Folks regularly find ways around it. And there are companies out there that make anti-cheat software that have started to tip their hand about how much it doesn't/can't work by partially giving up on making bulletproof client-side anti-cheat that works (because that's not that feasible), but by bringing lawsuits against people who break their client-side anti-cheat. (It's the same trick they pulled with DRM, at least in the U.S.. It's not really possible to make DRM secure against the user who has physical access to the machine on which the DRM scheme is being executed, so instead of making DRM that works, they made laws to criminalize the breaking of DRM.)
All in all, I wouldn't personally play any game that required a rootkit. Don't care how fun it is. That's just straight up a deal breaker for me. It's my computer, dammit!
(And, even if the client-side anti-cheat wasn't a rootkit per se, I still wouldn't use anything required any client-side anti-cheat.)
I'll forever maintain it used to be one of the best f2p fps games in history. Yeah you had to grind a lot to get new stuff, but pretty much everything considered meta was unlocked pretty early. The wall hack mechanic was just so well done, especially combined with just how much you could tweak everything.
Maybe player rating systems? To where if a player is obviously cheating, other players can give that player a 1-star review. Enough of those and they get put on the naughty players' server.
Because that’s not incredibly easy to exploit. And even if it’s not intentionally malicious reporting… there’s idiots who seem to think them lossing means the other cheated.
I’m reminded of my time in WoW- vanilla wow when T-0.5 was still the best gear yiu could reasonably get. Any how this fully geared T0.5, l60 warrior tried to gank my greens-and-blues geared l58 mage.
He waited until I was drinking, for that free crit. I was OOM, cuz I was ape grinding mobs.
I killed him using r1 frost bolt, frost nova and my wand. (Warriors at the time had zero ability to reliably gap close against any kind of mage.). Eventually he tried to run. He got but hurt from all the frost bolts I rammed up his ass.
Decided there’s no way a level 58 should be able to kill a 60. Now. Here’s the thing I’m very much “red is dead” in games with pvp. So of course i camped his ass. One, it was basically free HKs, two, he tried to gank a lower level, three he tried to gank an OOm mage. And four? Did I mention the free HKs?
In any case of course I got reported for haxxors. GM was like “dude are you camping him” I’m like “he started it… he could always get a friend.”
(He did. An equally terrible hunter. It was almost adorable.)
Back in the day (CS1.5/CS1.6) there was a server addon called HLGuard. Where it did some basic checks to see if you should know about another player and not send info unless you need it.
But, it wasn't perfect, and you'd still get an advantage from wallhack and of course it cannot stop aimbot. You could perhaps "detect" likely aimbot though. But it did limit the power of wallhack.
I actually tested it (of course on my own server with a friend who knew I was doing it). What it seemed to do was make sure you only really saw a player when they were very close to a wall where they'd become visible. But of course, close up things like needed to hear audio cues meant you'd often see them through walls anyway.
Also I never measured it, but it must have taken a fair bit of CPU to make all these determinations for every player on every tick.
For modern MMOs etc, they are usually VERY client authoritative because they're handling thousands of players at once and really want to spend as little CPU time on each as possible. So, they will likely want anything they have to be client side.