rugbugredfern avatar image
rugbugredfern asked

Preventing account botting with CloudScript

Recently I had an issue where someone created 100,000 new accounts, maxxing out our player cap. All of the accounts were created from the same IP address, a VPN, and have no statistics/display names. I've seen Cloud Scripts as a solution, but have no idea where to start. I am wondering if there is any solution to:

  1. Delete all of the botted accounts, by deleting all accounts created from the given IP
  2. Prevent multiple accounts from being created from the same IP to prevent something like this in the future.
Account ManagementCloudScript
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

That seems odd, since we limit the number of API calls per IP Address, so it would take them quite a while to do that. Also, it's not clear why they would bother, since there's no real "reward" for doing so.

Looking at your title, I do see the behavior in question. If you haven't already (and for others), the way to find the IP Address used for this would be a query like this in the Data Explorer:

| where FullName_Name == "player_logged_in"
| where Timestamp > ago(7d)
| summarize totalNum = count() by tostring(EventData.IPV4Address)

You could then also find the exact time range for this like so:

| where FullName_Name == "player_logged_in"
| where EventData.IPV4Address == ""
| summarize Min = min(Timestamp), Max = max(Timestamp)

If they're the only person that signed in during that period, you could just ban anyone that signed in during that period (or delete their accounts). But, since that's pretty unlikely, you'll need to look for other common factors. For example, if you always set a Statistic or other trackable (and Segment-able) value in the player profile on their first play, you could just create a Segment for players that don't have that value, and so delete them all at once. Generally speaking, someone doing this isn't likely to spend a lot of time following up, so you could also just identify accounts that haven't been active for some period and delete them.

One thing I would definitely recommend is to turn off all the API endpoints you're not using via the API Policy Permissions.

We're also looking at potential actions we may take against the IP in question.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

rugbugredfern avatar image rugbugredfern commented ·

Thanks for your response. The accounts in question have no statistics associated with them at all, but I cannot figure out how to make a segment for players without a statistic. If I was able to make a segment for all players without the "Exp" statistic and delete them that would be great, since all players who join a match will get an Exp statistic, so I can easily differentiate between bot accounts and real players.

0 Likes 0 ·
brendan avatar image brendan rugbugredfern commented ·

In the current model, you can't really segment on a lack of something, so what you would need to do is write a small script that checks for the invalid state and deletes the player account if it's invalid. Then, you could run that as a Scheduled Task against the All Players segment. If you believe the hacker in question will be continuing to re-use those accounts, you could additionally have a script that's triggered in reaction to a login call. It would check that, for any login which is not the first time the player logs in, if the invalid state is still on the player account, that account is deleted.

0 Likes 0 ·
rugbugredfern avatar image rugbugredfern brendan commented ·

All right, I've been able to get all of the player logged in events for this IP, but how can I delete the accounts with this information?

0 Likes 0 ·
Show more comments
Show more comments
Burak Sen avatar image Burak Sen commented ·

`turn off all the API endpoints you're not using via the API`

@brendan What do you mean by 'All', since there are so many endpoints. Can you please provide some more details about: which endpoints should be disabled.

0 Likes 0 ·
brendan avatar image brendan Burak Sen commented ·

The API policy ( allows you to turn off API methods (endpoints) you're not using, in order to minimize the surface area a hacker could attempt to use. In this case, the Client API calls. As to which ones to turn off, that's up to you. I'd recommend reviewing which ones you're using in the client app, and turn off all the others.

2 Likes 2 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.