While I’m not really a gamer, I do think the conundrum of online games cheating is an interesting technical problem because I honestly can’t think of a “good” solution. The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
Preventing cheating is hopeless.
Anyway, this isn’t the Olympics, a professional sport, or Chess. It’s more like pickup league. Preserving competitive purity should be a non-goal. Rather, aim for fun matches. Matchmaking usually tries to find similar skill level opponents anyway, so let cheaters cheat their way out of the wider population and they’ll stop being a problem.
Or, let players watch their killcams and tag their deaths. Camper, aimbot, etc etc. Then (for players that have a good sample size of matches) cluster players to use the same tactics together.
Treating games like serious business has sucked all the fun out of it.
Unfortunately that has been proven to not work.
Matching based on skill works only as long as you have an abundance of players you can do that based on. When you have to account for geography, time of day, momentary availability, and skill level, you realize that you have fractured certain players far too much that it’s not fun for them anymore. Keep in mint that “cheaters” are also looking for matches that would maximize their cheats. Maybe it’s 8PM Pacific Time with tons of players there, but it’s 3 AM somewhere else with much limited number of players. Spoof your ping and location to be there and have fun sniping every player in the map. Sign up for new accounts on every play, who cares. Your fun as a cheater is to watch others lose their shit. You’re not building a character with history and reputation. You are heat sniping others while they are not realizing it. It may sound limited in scope and not worth the effort for you, but it’s millions of people out there tht ruin the game for everyone.
Almost every game I know of lets players “watch their kill cam”, and cheaters have adapted. The snipped people have a bias to vote the sniper was cheating, and the snipers have a bias to vote otherwise. Lean one way or the other, and it’s another post on /r/gaming of how your game sucks.
Well it is a professional sport -- there's tournaments worth tens of millions of dollars. But honestly it is probably easier to catch cheaters in that environment. The real issue is that cheaters suck the fun out of the game, and matchmaking doesn't fix this because cheaters just cheat the matchmaking (smurf accounts, etc) until they're stomping regular players again. I don't think throwing our hands up and letting the cheaters go on is a real solution.
Smurf accounts are a real problem, but they are a real problem whether the person stomping beginners is using cheats or is just experienced. The target should be preventing smurfing in the first place.
That's a good point.
> The real issue is that cheaters suck the fun out of the game
Unpopular opinion: cheaters don’t, griefers do.
“Cheater” is a pejorative for someone who sidesteps the rules and uses technology instead of, uh, pardon a potentially word choice, innate skills. They don’t inherently want to see others suffer as they stomp - it’s a matchmaking bug they’re put where they don’t belong. They just want to do things they cannot do on their own, but what are technically possible. A more positive term for that is a “hacker”.
Griefers are a different breed, they don’t just enjoy own success but get entertained by others’ suffering. Not a cheating issue TBH (cheats merely enable more opportunities), more like “don’t match us anymore, we don’t share the same ideas of fun” thing. “Black hat” is close enough term I guess.
YMMV, but if someone performs adequately for my skill levels (that is, they also don’t play well) then they don’t deprive me of any fun irrespective of how they’re playing.
Yeah thats a really unpopular opinion. Cheaters dont want to play the game. There is no matchmaking for them that makes sense.
They have inhuman skills usually paired with terrible game IQ and generally awful toxicity. They get boosted up to play with intelligent players purely because they can hold a button to outplay. It gets to the point where you have a player on your team who has no idea how to play but is mechanically good and it breaks the entire competitiveness of the game.
> They don’t inherently want to see others suffer as they stomp
Cheaters want to dominate other players, feel like they deserve to dominate other players and are perfectly happy for other players to suffer as long as they feel good.
That’s provably not universally true, although I have no idea about the exact demographics.
Best I’ve ever seen was some online discussions about motives, but I never compiled any statistics out of random anecdotes (that must be biased and probably not representative).
If they weren't motivated by a toxic sense of self regard and a desire to humiliate others they wouldn't cheat. This is axiomatic.
That's a gross exaggeration. Some people just want to play the game, but lack motor skills commensurate with their other abilities.
Are players who take advantage of developer-supplied aim assist and other assistive technologies "motivated by a toxic sense of self regard and a desire to humiliate others"?
Are people who play the game as the developers intended using the tools the developer supplied cheaters? Wow, deep philosophical questions there.
Gonna have to ponder if people who aren't cheating are cheaters.
> let cheaters cheat their way out of the wider population
In a 5v5 shooter this ruins 9 people’s game along the way, times however many games this takes. Enough people do this and the game is ruined
> or let players watch their killams and tag their deaths
Players are notoriously bad at this stuff. Valve tried it with “overwatch” and it didn’t work at all.
Forgetting about anti cheat for a minute though, may hamming for different behaviours is a super interesting topic in itself. It’s very topical right now [0] and a fairly divisive topic. Most games with a ranked mode already do this - there’s a hidden MMR for unranked modes that is match made on, and players self select into “serious” or “non serious” queues. It works remarkably well - if you ever read people saying that Quick Play is unplayable it proves that the separate queues are doing a good job of keeping the two groups separate!
[0] https://www.pcgamer.com/games/third-person-shooter/arc-raide...
Did Valve really do that for Overwatch? It is on their store, so maybe, but I’d expect Blizzard to implement that sort of thing.
I agree that killcam tagging is not great for, like, actual “you are breaking the rules” type enforcement (because, yeah, players will generate a ton of false-positives). But if players had a list of traits and match-making tried to minimize some distance in the trait space (admitting it could’ve be perfect), it might result in more fun matches.
> Did Valve really do that for Overwatch? It is on their store, so maybe, but I’d expect Blizzard to implement that sort of thing.
Valve did it for CS, and it was called overwatch, sorry. [0]
[0] https://counterstrike.fandom.com/wiki/Overwatch#Verdict
> Anyway, this isn’t the Olympics, a professional sport, or Chess.
Yes, its prize pool is order of magnitude higher than either of Olympics sports or Chess.
I’m sure there’s a game out there that has a prize pool for matchmaking mode, because any silly thing has happened somewhere, but I’d expect that sort of thing to mostly be handled in proper tournaments.
It's not so much tournaments but viewership. People watch others play on Twitch, that gets you money directly as well as sponsorships. This incentives people to cheat so they're good on stream.
It is a lot harder to cheat on a live stream though.
I think from a purely technical viewpoint, cheaters will always have the advantage since they control the machine the game and anti-cheat is running on. Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
I agree, but that’s precisely the interesting ‘technical’ problem. Like bitcoins “proof of work” in 2011 (it took me few years to comprehend) was an eye opening moment for me. While I do believe that it firmly failed to achieve its lofty goals, the idea of “proof of work” was a really captivating and interring technical idea. Can a video game client have a similar zero-trust proof of their authenticity? I personally can’t think of one. I can’t think of a way to have remote random agents (authenticates or not) to proof they are not cheating in a “game”, and like you, I suspect it’s not really possible. But what does that mean?
I grew up with star trek and star wars wondering what a “I’ll transfer 20 units to you” meant. Bitcoin was an eye opener in the idea of “maybe this is possible” to me. But it shortly became true to me that it’s not the case. There is no way still for random agents to prove they are not malicious. It’s easier in a network within the confines of Bitcoin network. But maybe I’m not smart enough to come up with a more generalized concept. After all, I was one of the people who read the initial bitcoin white paper on HN and didn’t understand it back then and dismissed it.
You could have replays where all player inputs are signed by the individual players. This replay file could be used as proof to report a cheater. Analysis tools can be developed later to identify what packets are only possible from cheaters. For example you could prove that a player was sending packets that they were flying around.
I have never worked on AAA games, but I have developed software for 35 years and play many competitive online games regularly.
I have always wondered why more companies don't do trust based anti cheat management. Many cheats are obvious from anyone in the game, you see people jumping around like crazy, or a character will be able to shoot through walls, or something else that impossible for a non-cheater to do.
Each opponent in the game is getting the information from the cheating player's game that has it doing something impossible. I know it isn't as simple as having the game report another player automatically, because cheaters could report legitimate players... but what if each game reported cheaters, and then you wait for a pattern... if the same player is reported in every game, including against brand new players, then we would know the were a cheater.
Unless cheaters got to be a large percentage of the player population, they shouldn't be able to rig it.
Less skilled players can't distinguish better players from cheaters, and reports are usually abused and used in bad faith. Even a good-faith report really just means "I don't want to see this player for whatever reason". It's used as a signal of something in most systems but never followed outright in good games because players get a ton of useless reports.
Players in some games with custom servers run webs of trust (or rather distrust, shared banlists). They are typically abused to some degree and good players are banned across multiple servers by admins acting in bad faith or just straight up not caring. This rarely ends well.
I used to run popular servers for PvP sandbox games and big communities, and we used votebans/reports to evict good players from casual servers to anarchy ones, where they could compete, but a mod always had to approve the eviction using a pretty non-trivial process. This system was useless for catching cheaters, we got them in other ways. That's for PvP sandboxes - in e-sports grade games reports are useless for anything.
A couple of years ago the bot situation in casual Team Fortress 2 was so bad that it wasn't uncommon to land in a game where the majority of at least one of the teams was a group of cooperating bots. In those matches you have the possibility to start a kick-vote on your team mates, and those bots would immediately vote “no” if you tried to vote on any of them and because they were the majority of the team these votes always failed. And if these batch were in your enemy team all you could do was to ask the remaining, hopefully real, players on the enemy team to try to kick them. It was especially annoying when you tried to play certain game modes these bots weren't programmed to handle, they had no idea of the objective and the match would stall indefinitely, forcing you to queue for a different match. And if I remember correctly these bots were pretty much headshotting everything they got in sight. Something the server can easily detect. But VAC for example acts intentionally slow, so cheaters don't get immediate feedback.
Out of curiosity I did a quick internet search and a couple of months ago a new wave of bots has emerged. Those bots also join as majority group but never fully join the game, they simply take up slots in a team, preventing others from joining. Makes you wonder why the server isn't timing them out.
Counter-Strike has been doing this for years. It's called "Overwatch" (even before Blizzards Overwatch came out). And believe it or not it failed to reliably catch actual cheaters AND got non-cheaters in trouble (both repeatedly). A very good player is indistinguishable from a cheater with a good cheat. Sometimes people just get super lucky for a few rounds and you might get judged based on that.
> A very good player is indistinguishable from a cheater with a good cheat.
I played COD4 a lot, though not competitively. I used to say that I had a bad day if I didn't get called a cheater once.
I didn't cheat, never have, but some people are just not aware of where the ceiling is.
The cheaters that annoyed us back then were laughably obvious. They'd just hold the button with a machine gun and get headshots after headshots, or something blatant like that.
> some people are just not aware of where the ceiling is
True of everything. Getting good just lets you see the skill gaps. I've sunk a serious chunk of time into both pool and chess. In both I'd be willing to take a bet that I can beat the median player with my eyes closed (in pool, closing them after walking the table but before getting down on the shot).
And in both of those activities, there are still like 10-20 levels of "person at skill level A should always win against person at skill level B" between me and someone who is ACTUALLY good at pool or chess. Being charitable, in the grand scheme of things I might be an intermediate player.
Overwatch is now non-public - when CS2 replaced CS:GO, it wasn't available, and when it was reintroduced, it was only for "trusted partners" [0].
[0]: https://steamdb.info/patchnotes/14178987/
> Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
And even that's the (relatively) straightforward part. The hard part is doing this without injuring the kernel enough that the only sensible solution for the security conscious is a separate PC for gaming.
I wonder if dual booting can be used as a middle ground, like have one OS for gaming and other OS for work.
Problem is that only works if the two OSes are different (Windows vs Linux) or else they can just stomp each other
The only solution that seems to work well that I've seen is having very active and good server admins who watch the gameplay and permaban cheaters. Requires a lot of man hours and good UI and info for them to look at, as well as (ideally) the ability to see replays.
That solution only works on servers hosted by players - I've never seen huge game companies that run their own servers (like GTA) have dedicated server admins. I guess they think they can just code cheaters out of their games, but they never can.
It's interesting how often accuracy problems fall back to requiring humans in the loop, and in the case of big consumer systems that means employing people in low wage parts of the world. For playing a match of a video game I don't think there's that much money involved balanced against the amount of playtime to pay for enough monitoring or to ensure a timely response to reports. Gamers always wheel out community run servers and admins because it's pushing the cost onto someone else (I don't think I've ever seen someone volunteer themselves for it), and they'd mostly refuse pay to play if that meant employing a staff that scaled as their online games are popular.
The solution is purely cultural. We should collectively think people who cheat online are losers.
(Not being sarcastic.)
By and large we do. Unfortunately, the losers don't care unless you identify them personally. For them, the thrill of cheating and griefing others easily overcomes some generalized cultural zeitgeist.
Or bad players might get owned by better ones, conclude the other guy was cheating and the only way to compete is for them to cheat as well.
Sort of like nuclear weapons
This has happened in online chess, with some people admitting to using engines (ie cheating) to "confirm their suspicion that the other guy is cheating".
Remember you're living in a world where people idolize Elon Musk, a person who employed someone to play path of exile and diabolo to boost his account (ie a cheater). Also a lot of people don't care (or claim not to care) whether people see them as losers as long as they wreck other folks day.
https://www.forbes.com/sites/paultassi/2025/01/20/elon-musk-...
I don't know a single person who doesn't think that the PoE thing was super cringe. To the extent that people idolize Elon, it's because they think his accomplishments outweigh him making a massive fool of himself in that instance.
That's true. OK I was being unfair.
This is a noble lie, because it's really the non-cheaters who are losers. If the cheaters lost then there would be no problem.
Most people ignore that "do everything on the server" kills any game that needs fast interactions or decent local prediction, latency goes through the roof and you might as well play chess by email. There isn't a clean answer.
Kernel anti-cheat isn't an elegant solution either. It's another landmine, security holes, false positives, broken dev tools, and custody battles with Windows updates while pushing more logic server-side still means weeks of netcode tuning and a cascade of race conditions every time player ping spikes, so the idea that this folds to "better code disipline" is fantasy.
Not all the processing needs to be done online, it can be done completely async offline on game logs
sorry but kernel anti cheat is actually good
I play fps competitively and valorant is by far the most least cheater fps game on the market
It may be effective, but it's an unacceptable security risk imo. No amount of effectiveness can justify installing a literal rootkit to play the game.
Valorant only uses kernel mode anticheat on Windows. Apple has taken security seriously enough that the anticheat is user mode only on MacOS.
its called anti cheat for a reason (not anti spyware)
nothing perfect in software world and this is the best tool for its job
Except for the risk of the game being compromised and everything in your computer along with it.
its like saying game piracy is bad because you can get hack in your pc
if your pc is so important then maybe don't install these particular software
its all about trade off
I don't install games that require kernel level anticheat. I wish those games would stop using them because without that I'd play a few of them.
Kernel level anticheat isn't a silver bullet, either. It just simplifies the work of the anticheat programmers. I personally think that the silver bullet is behavioral anticheat and information throttling (don't send the player information about other players that he can't see/hear)
Yeah but this is our current best tool yet
if you can design a better one without drawback then you could try to release a better one
Do what Netflix did and run servers at ISPs (or at their providers or Cloudflare points).
It's kind of weird that we still don't have distributed computing infrastructure. Maybe that will be another thing where agents can run near the data their crunching on generic compute nodes.
If me and my roommate are both playing against each other on a server less than 10ms away, in the normal scenario at 60fps there is still ~60ms between me clicking and it appearing on your screen - and another 60ms before I get confirmation. Now add real world conditions like “user is running YouTube in the background” or “wife opens instagram” and that latency becomes unpredictable. You still are left with the same problems. Now multiply it by 10 people who are not the same distance from the ISP and the problems multiply.
To quote the parent comment:
> The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
What does that have to do with solving the problem?
Sorry to day this, but I don’t think you understand how any of this works. Whenever someone’s proposed “edge computing” as a way to solve trust problems, I know they are just stringing together fancy sounding words they don’t understand.
What “Netflix did” was having dead-simple static file serving appliance for ISPs to host with their Netflix auth on top. In their early days, Netflix had one of the simplest “auth” stories because they didn’t care.
There's different levels of cheating. We can avoid the worst cases by not putting the game state/Netcode in the users computer which basically makes it like an X Server.
It would add some latency but could be opt-in for those that care enough for all players in a match to take the hit.
All the games that use kernel anti cheat have the simulation running on the server.
You can't make a competitive fps game with a dumb terminal, it can't work because the latency is too high so that's why you have to run local predictive simulation.
You don't want to wait the server to ack your inputs.
> All the games that use kernel anti cheat have the simulation running on the server.
There's an exception with fighting games. Fighting games generally don't have server simulations (or servers at all), but every single client does their own full simulation. And 2XKO and Dragon Ball FighterZ have kernel anti cheat.
Well I'm just nitpicking and it's different because it's one of the few competitive genres where the clients do full game state simulations. Another being RTS games.
Go play the original Quake (not QuakeWorld) online and you will soon realise why games realised that concept was flawed as soon as it was implemented.
It works fine for LAN but as soon as the connection is further than inside your house, it’s utterly horrible.
I think it's somewhere between halting and turing - given infinite resources it's likely solvable, but lacking that it's just narrowing bounds
The only good long term solution is ML on replays + moderately up to date client side (non kernel) AC (just good enough to deter cheaters).
Mac OS with remote attestation has proven strong enough for anticheat on Mac OS without needing kernel anticheat.