Personally, I wouldn't go overboard too early. Even if you encrypt your packets like Jonathan is recommending, hackers like my brother will just access the packet data before it's encrypted. If malicious users want in, they will find a way in.
Now that that's out of the way, there are ways for indie developers to minimize the damage malicious users can do. You should probably encrypt your outbound packets, but that will only stop certain kinds of attacks, don't fool yourself into thinking it's now "hack proof". To really turn hackers off, give the clients as little game-changing control as possible. One of these big MMOs out there used to allow the clients to tell the server how much XP they've earned. Guess what happened there? Don't do that. Let the client tell the server that they want to cast some super-spell on the creature, and then let the server resolve the action and then add the XP when the creature is dead. The clients should be thin, dumb, terminals that can send and receive commands, and can do some prediction (if necessary). The server should be running the game and react to commands sent by the clients.
Large game companies use the above in addition to something like VAC or PunkBuster to prevent known hackers from continuing to disrupt paying customers. How these security measures work is kept fairly secret, but I do know one method that they use: they scan currently-running applications and compare those against lists of known hacks. Once you have been caught cheating, you will be unable to join VAC/PunkBuster secured servers.
Related: Game logic on the server! Good or bad? Game logic on the server! Good or bad?
Personally, I wouldn't go overboard too early. Even if you encrypt your packets like Jonathan is recommending, hackers like my brother will just access the packet data before it's encrypted. If malicious users want in, they will find a way in.
Now that that's out of the way, there are ways for indie developers to minimize the damage malicious users can do. You should probably encrypt your outbound packets, but that will only stop certain kinds of attacks, don't fool yourself into thinking it's now "hack proof". To really turn hackers off, give the clients as little game-changing control as possible. One of these big MMOs out there used to allow the clients to tell the server how much XP they've earned. Guess what happened there? Don't do that. Let the client tell the server that they want to cast some super-spell on the creature, and then let the server resolve the action and then add the XP when the creature is dead. The clients should be thin, dumb, terminals that can send and receive commands, and can do some prediction (if necessary). The server should be running the game and react to commands sent by the clients.
Large game companies use the above in addition to something like VAC or PunkBuster to prevent known hackers from continuing to disrupt paying customers. How these security measures work is kept fairly secret, but I do know one method that they use: they scan currently-running applications and compare those against lists of known hacks. Once you have been caught cheating, you will be unable to join VAC/PunkBuster secured servers.
Personally, I wouldn't go overboard too early. Even if you encrypt your packets like Jonathan is recommending, hackers like my brother will just access the packet data before it's encrypted. If malicious users want in, they will find a way in.
Now that that's out of the way, there are ways for indie developers to minimize the damage malicious users can do. You should probably encrypt your outbound packets, but that will only stop certain kinds of attacks, don't fool yourself into thinking it's now "hack proof". To really turn hackers off, give the clients as little game-changing control as possible. One of these big MMOs out there used to allow the clients to tell the server how much XP they've earned. Guess what happened there? Don't do that. Let the client tell the server that they want to cast some super-spell on the creature, and then let the server resolve the action and then add the XP when the creature is dead. The clients should be thin, dumb, terminals that can send and receive commands, and can do some prediction (if necessary). The server should be running the game and react to commands sent by the clients.
Large game companies use the above in addition to something like VAC or PunkBuster to prevent known hackers from continuing to disrupt paying customers. How these security measures work is kept fairly secret, but I do know one method that they use: they scan currently-running applications and compare those against lists of known hacks. Once you have been caught cheating, you will be unable to join VAC/PunkBuster secured servers.
Personally, I wouldn't go overboard too early. Even if you encrypt your packets like Jonathan is recommending, hackers like my brother will just access the packet data before it's encrypted. If malicious users want in, they will find a way in.
Now that that's out of the way, there are ways for indie developers to minimize the damage malicious users can do. You should probably encrypt your outbound packets, but that will only stop certain kinds of attacks, don't fool yourself into thinking it's now "hack proof". To really turn hackers off, give the clients as little game-changing control as possible. One of these big MMOs out there used to allow the clients to tell the server how much XP they've earned. Guess what happened there? Don't do that. Let the client tell the server that they want to cast some super-spell on the creature, and then let the server resolve the action and then add the XP when the creature is dead. The clients should be thin, dumb, terminals that can send and receive commands, and can do some prediction (if necessary). The server should be running the game and react to commands sent by the clients.
Large game companies use the above in addition to something like VAC or PunkBuster to prevent known hackers from continuing to disrupt paying customers. How these security measures work is kept fairly secret, but I do know one method that they use: they scan currently-running applications and compare those against lists of known hacks. Once you have been caught cheating, you will be unable to join VAC/PunkBuster secured servers.