The problem with bots and how to fix them...

So as a coder, network engineer, and exploitation analyst I will try to give a brief run down of the some of the problems that GGG can/is experiencing with botters and why some strategies that people would think would work wont work and a few possible solutions that I would think about for fixing the problem. This thread is not aimed at getting GGG to fix the botter problem as I believe they are probably in a far better position to understand what the botters are doing compared to what I personally think they are doing. This is more aimed at the common gaming crowd and those with a basic knowledge of computers/networks/MMO game design.

A common myth is that a lot of botters are people using a program to automate their personal account to make themselves "money". While there are bot programs available for download, as many people are accutely aware most of these are infested with virus/trojans/keyloggers. For the most part they work by cleaning out the attempted botters account and sometimes are used to compromise a computer for far more mailicious purposes than game currency. There are legitimate bot developers who sell their programs which are for most intents and purposes... safe. They are few but they do exist. Its an honest (mostly) business. Their effect on game economies are for the most part limited. They benefit a small crowd who usually in turn quit playing the game after it becomes to easy for them.

The true problem of botters is the "gold sellers". The individuals who wish to turn in game money into real world money. In order to make a successfull business out of selling currency you need massive amounts of in game currency. This takes a much larger number of accounts than what a single person is usually willing to deal with hence why the individual botter mentioned above is listed as mostly limited.

A common myth is that it is easy to ban these by IP address, country, or that banning accounts is the easiest way to deal with it. The truth is that its not and the reason for this is because of Virtual Private Networks (or VPNs) and Network Address Translation (NAT). With NAT a single IP address can be the access point for hundreds of computers. Additionally you have the case of Dynamic IP assignment. A single individual may not get the same IP everytime it registers on a network. If GGG blocked an IP it could potentially block tons of legitimate users. What makes it even more difficult is that VPNs add to the problem of the two previously mentioned issues by allowing people from all over the world to log into a single VPN network which then has a dynamically allocated exit point. So bottom line is that blocking by IP is very bad business for GGG and is mostly useless as VPNs circumvent this issue anyways.

Another idea is that you can circumvent this by scanning a computer for a bot "program". This is also not a valid option. This will catch most of the first type of botter but almost none of the second type. The reason is that the second type of user.. the gold seller.. usually uses what is called a virtual machine... or in laymans terms.. a virtual computer within a computer. Often times gold sellers will have dozens if not hundreds of computers each running a handful of virtual machines all logged into VPNs. In this way you cannot stop any single device by IP or by scanning the machine for code. When you scan you are limited to the virtual machine which can be operated by its own bot program. What can be done is that a small number of machines are busy creating accounts and storing the accounts to a database which is then accessed by the bot machines to ensure constant availibility of accounts for the virtual machines. If a single vitual machine or account is detected then the bot machine merely creates a new virtual machine and logs into a different account.

So how do we stop this? Well there are a few ideas.

Solution one is to look at an individual machines ID or fingerprint if you will. The hardware ID. The software ID of a machine is easily hidden by virtual machine... but the hardware ID is something that is translated even through the virtual machine. If you begin to ban accounts based upon machine fingerprints you can stop the core system which is running the virtual machines which ends up in banning accounts by the dozens. Basically your client reports the machine ID anytime you log in with your account. If GGG bans an account due to "botting" they then also ban any account found to be using the machine fingerprint.. this essentially sets it so that computer can never be used to play PoE again as all accounts which are logged into and register that machine ID get auto banned as well. This has worked extremely well for many other games but is a little extensive on the coding side and there are a few work arounds.. but few..

Another option is to charge for the account. If the account gets banned before it can recoup its costs then the gold seller is out money. This does not work for GGGs purposes because GGG and PoE thrive because of the F2P strategy. If you had to pay its no longer F2P... its pay 2 play and people would quit in droves. But there is an idea that I have which is close to this which I believe could be used. Instead of paying to play.. you pay for the right to trade. The game is free to play all you want but unless you pay say a small one time fee or possibly a small monthly fee you can never trade your items/currency. This essentially a middle ground compared to above but still one that I doubt that GGG would use. Tho it is something that I personally would consider doing.

As I said before I did not write this to suggest to GGG on how to fix the problem but to sorta educate my fellow gamers as to why GGG is haveing a difficult time coping with botters. Please feel free to post some of your ideas below and I would be willing to give my explanation of why it is or is not a good idea and if its not a good idea why/how botters would probably circumvent it (in broad enough terms that any good botter is probably already doing it but not specific enough to tell someone how to do it themselves).


--Bishop--

"

A common myth is that a lot of botters are people using a program to automate their personal account to make themselves "money". While there are bot programs available for download, as many people are accutely aware most of these are infested with virus/trojans/keyloggers. For the most part they work by cleaning out the attempted botters account and sometimes are used to compromise a computer for far more mailicious purposes than game currency. There are legitimate bot developers who sell their programs which are for most intents and purposes... safe. They are few but they do exist. Its an honest (mostly) business. Their effect on game economies are for the most part limited. They benefit a small crowd who usually in turn quit playing the game after it becomes to easy for them.

Completely untrue, you've made it obvious you have never really botted on games and I'm not one to lie, I've botted on many games for many years, this not being one of them. RS, WoW, the list goes on. Regarding these scenes, almost every bot is legitimate besides the bots one would find in 'google' typically, which is simply not using common sense and would apply across the board to programs, not just bots. The effect on game economies is not limited either, for instance RuneScape which has been around for 12 years has never been able to put a stop to botters which plague the game and actually destroyed the economy completely. 99% of Gold Sellers either achieve their income from buying & re-selling or simply botting, typically it's botting since buying & re-selling is more of a niche and there are better ways of achieving income using that method.

Consider this a botters manifesto, I've profited over $40,000 from botting. I don't plan on botting on this game since that was something I did while trying to get through college for extra income.

"

A common myth is that it is easy to ban these by IP address, country, or that banning accounts is the easiest way to deal with it. The truth is that its not and the reason for this is because of Virtual Private Networks (or VPNs) and Network Address Translation (NAT). With NAT a single IP address can be the access point for hundreds of computers. Additionally you have the case of Dynamic IP assignment. A single individual may not get the same IP everytime it registers on a network. If GGG blocked an IP it could potentially block tons of legitimate users. What makes it even more difficult is that VPNs add to the problem of the two previously mentioned issues by allowing people from all over the world to log into a single VPN network which then has a dynamically allocated exit point. So bottom line is that blocking by IP is very bad business for GGG and is mostly useless as VPNs circumvent this issue anyways.

No game can block by IP and it never will be implemented on a game, you pointed out the obvious. It's simply impossible and is not a common myth.

"

Another idea is that you can circumvent this by scanning a computer for a bot "program". This is also not a valid option. This will catch most of the first type of botter but almost none of the second type. The reason is that the second type of user.. the gold seller.. usually uses what is called a virtual machine... or in laymans terms.. a virtual computer within a computer. Often times gold sellers will have dozens if not hundreds of computers each running a handful of virtual machines all logged into VPNs. In this way you cannot stop any single device by IP or by scanning the machine for code. When you scan you are limited to the virtual machine which can be operated by its own bot program. What can be done is that a small number of machines are busy creating accounts and storing the accounts to a database which is then accessed by the bot machines to ensure constant availibility of accounts for the virtual machines. If a single vitual machine or account is detected then the bot machine merely creates a new virtual machine and logs into a different account.

This would be an advanced mechanic and not something typically ever used, EVER. Scanning ACCOUNTS scans the computer or VM you have open, it doesn't matter if it is in a VM. Someone posted earlier about the idea of blocking multiple instances of POE i.e. with mutex's, but that wouldn't work with VM's which you outlined. Often times gold-sellers will NOT have dozens or hundreds of computers running, that's absurdity. With my 3 computers I could run 40 names on this.. The people who bought VPS's or own servers having spent thousands on it could perhaps run a lot of names, but hundreds of thousands? No.. As mentioned above the continual creation of accounts is an advanced mechanic that is completely unnecessary and would be a coder implementing completely on his own to keep the entire process automated, not something feasible or readily used.

"

Solution one is to look at an individual machines ID or fingerprint if you will. The hardware ID. The software ID of a machine is easily hidden by virtual machine... but the hardware ID is something that is translated even through the virtual machine. If you begin to ban accounts based upon machine fingerprints you can stop the core system which is running the virtual machines which ends up in banning accounts by the dozens. Basically your client reports the machine ID anytime you log in with your account. If GGG bans an account due to "botting" they then also ban any account found to be using the machine fingerprint.. this essentially sets it so that computer can never be used to play PoE again as all accounts which are logged into and register that machine ID get auto banned as well. This has worked extremely well for many other games but is a little extensive on the coding side and there are a few work arounds.. but few..

HWID Bans are a valid idea, but they don't work as well as you mite think. Even if GGG were to ban every serial associated with the hardware, the problem is you can circumvent it and with windows XP you can reassign ID's, with w7/vista you can't since they're digitally signed but YOU CAN SPOOF them. HWID's don't affect VM's like you think, nor would they affect VPS's.

"

Another option is to charge for the account. If the account gets banned before it can recoup its costs then the gold seller is out money. This does not work for GGGs purposes because GGG and PoE thrive because of the F2P strategy. If you had to pay its no longer F2P... its pay 2 play and people would quit in droves. But there is an idea that I have which is close to this which I believe could be used. Instead of paying to play.. you pay for the right to trade. The game is free to play all you want but unless you pay say a small one time fee or possibly a small monthly fee you can never trade your items/currency. This essentially a middle ground compared to above but still one that I doubt that GGG would use. Tho it is something that I personally would consider doing.

This will stop nothing, a majority of the population on WoW & RS are purely botters, they pay monthly fees.. Goldfarmers/Mass botters have nothing to lose by paying these fees and continuing their farming. Only profit to gain.


Another issue is that anything implemented will eventually be circumvented, no game has eliminated botters, not a single game, ever. And no detection system would work against a color-based or directx based bot really..


Solution? There's nothing they can do really besides making it increasingly difficult which would cut off a majority of the botters and isbox abusers.

"

aimladen wrote:

Completely untrue, you've made it obvious you have never really botted on games and I'm not one to lie, I've botted on many games for many years, this not being one of them. RS, WoW, the list goes on. Regarding these scenes, almost every bot is legitimate besides the bots one would find in 'google' typically, which is simply not using common sense and would apply across the board to programs, not just bots. The effect on game economies is not limited either, for instance RuneScape which has been around for 12 years has never been able to put a stop to botters which plague the game and actually destroyed the economy completely. 99% of Gold Sellers either achieve their income from buying & re-selling or simply botting, typically it's botting since buying & re-selling is more of a niche and there are better ways of achieving income using that method.

Consider this a botters manifesto, I've profited over $40,000 from botting. I don't plan on botting on this game since that was something I did while trying to get through college for extra income.

lol, you must be delusional if it brought you 40g's... maybe over 10 years that took you to finish that collage

and a botter that profits never buys a bot, you make it yourself (if you can buy it that means anyone can- you won't profit $$ from it)

"

No game can block by IP and it never will be implemented on a game, you pointed out the obvious. It's simply impossible and is not a common myth.

you trolling? IP ban can't be done? lol ..

"

HWID Bans are a valid idea, but they don't work as well as you mite think. ...

what collage was that you went to again? was it in US and A?

"

lol, you must be delusional if it brought you 40g's... maybe over 10 years that took you to finish that collage

and a botter that profits never buys a bot, you make it yourself (if you can buy it that means anyone can- you won't profit $$ from it)

First off, 'college', secondly 10 years? That was over the span of 1 YEAR.. You have no clue AT ALL what you're talking about. With 100 names going on RS you can make roughly 300k an hr - 600m a day // around $200 a day - this would be using a public/private bot with your own script methods you could have bought or created.. Almost no one bothers making their own bots unless they plan on selling the bots too since the amount of time invested to create a proper and advanced bot platform is quite a project.. I actually don't think you know what botting even entails, it's not simply a script that does something, there's a difference between a bot platform and a script.. You should not post on matters that you have absolutely zero comprehension or knowledge about.

"

you trolling? IP ban can't be done? lol ..

IP Ban CAN be implemented, but it's insanely stupid, if you read any of his post and not just critiqued mine you'd understand WHY IT IS STUPID.

"

what collage was that you went to again? was it in US and A?

again, college. And yes, USA, child.

"

account345s wrote:

herpderp

How about you keep it on topic instead of nitpicking posts.

I think the best way to counter botting would be to implement hardware bans & to stop multiple instances of POE being allowed, yes it can be circumvented but it will put a stop to isboxer and a majority of the bots right now.

This would only work with some type of scanner. Which of course would stop map-hacking too, but GGG has already stated that it's an issue they'll tackle later down the road, POE is still open beta.

100% agree with aimladen

If you want to know how to deal with bot you just have to google for bot+prevent+poker
i.e.: http://stackoverflow.com/questions/2717599/defeating-a-poker-bot
And the poker industry has a lot more time and money than ggg.

Block MAC and problem done.U cant change that,there is software for changing MAC but it aint working it changes just the visuals.

"

Block MAC and problem done.U cant change that,there is software for changing MAC but it aint working it changes just the visuals.

There's the small problem of the internet not working the way you think it does. To wit: your MAC address does not transit the internet. It in fact does not so much as pass your local switch, and your switch's MAC does not pass the next step and so on and so forth. There is also the problem that you actually can change it. Ethernet cards have had programmable MACs pretty much for a good decade.

"

Solution? There's nothing they can do really...

Pshah.

You know what is a 100% guarantee against economic exploitation by bots? Removing the economy, that's what. Self Found League, baby.

You wanna bot in Self Found League? Knock yourself out.

--C

A while back I took a break from PoE, and played Borderlands 2. I was amazed at how much fun the game can get when it isn't designed with an economy in mind.

PoE's default and (eventually) hc leagues are already too deep into the rabbit hole, but I expect over the next ten years botnet sophistication will reach a point where exploitable economies such as this will no longer be viewed as a viable design point, and developers will either favor highly regulated trade systems or just design around the single-player experience (like bl2 does).

We do not have "Permeate" encryption codes based on the harddrive of the computer that instals the game... or any game.

Once they create games that create permeate encryption codes for that computer and game, there will always be botters / hackers and cheats.