question

bwildetalk avatar image
bwildetalk asked

Title being spammed with fake players

Unfortunately, some people have recently been spamming my title with fake players to try to get me to the free 100k player limit and get it deleted. I was able to stop a few attacks by blocking a few endpoints (login with switch, ios, and android device ids) then using segments to get rid of the players that they had already spammed. However, I have now hit a roadblock. My game (Unity by the way) authenticates by just logging in with the unique device identifier as a custom ID. And now, someone has started spamming players using custom IDs as well. I can't really use the same approach as the other attacks by blocking endpoints since blocking this one would cause the game to not authenticate unless I changed something in the game. They are spamming at a fairly slow rate since it seems to be from only one ip and they can only use the one endpoints, so I probably have a decent amount of time, but if anyone could provide advice on stopping this attack it would be appreciated.

unity3d
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Neils Shi avatar image
Neils Shi answered

Since the login API LoginWithCustomID require no authentication headers, if hackers know your title ID, then they can create "fake accounts" easily. But PlayFab Login APIs have IP-based rate limits, so it can prevent hackers from registering a large number of accounts in a short period of time. In your case, since the hacker only used one IP, so you can ban this IP address directly. And we also recommend that you use a non-anonymous login method if you can, which makes it more difficult for hackers to create accounts. After that you can use API access policy to disable certain Client APIs (which you don't need).

2 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

bwildetalk avatar image bwildetalk commented ·

Thanks. I do have one question though, do you know of a good non-anonymous login method to use? My game is on Oculus by the way.

0 Likes 0 ·
Neils Shi avatar image Neils Shi bwildetalk commented ·

About non-anonymous login method, the simplest options are: LoginWithPlayFab or LoginWithEmailAddress. Or you can also consider using Third party Login API, for example : LoginWithFacebook. For more info, you can refer to https://learn.microsoft.com/en-us/gaming/playfab/features/authentication/login/login-basics-best-practices#recoverable-login-mechanisms.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.