Anti-Bot System - Feedback Request

[leik meris]

Hello everyone!

I'm an enthusiast and new to Lua scripting, and this is one of my first projects: an Anti-Bot System for an Open Tibia Server. I'm sharing it here to get your feedback, suggestions, and constructive criticism to improve it further.

---

What Does It Do?​

The Anti-Bot System is designed to maintain fair gameplay by detecting and discouraging the use of bots. Here's how it works:

1. Activity Monitoring:
   • After killing a certain number of creatures (default: 10), the system triggers a captcha challenge to verify the player's legitimacy.
2. Captcha Challenge:
   • Players have 120 seconds to solve a randomly generated captcha displayed on the client.
   • They have three attempts to submit the correct answer.
3. Warnings and Penalties:
   • Failing the captcha (either by timeout or incorrect answers) adds a warning to the player's account.
   • Accumulating three warnings results in an automatic ban for seven days (configurable).
4. Administrative Privileges:
   • Players with administrative roles are excluded from warnings or bans.
5. Features for Testing:
   • Includes reset commands for storages to make testing easy.
   • Displays a user-friendly interface with a timer and real-time updates.

---

Why Did I Create This?​

I wanted to contribute something to the community while challenging myself to learn Lua scripting and Open Tibia mechanics. It’s a beginner-friendly approach, and I’d love to hear your thoughts, feedback, and suggestions to refine the system.

Thank you for taking the time to review it! I hope it inspires others to create and share their own scripts too.

Looking forward to your feedback!

 

[check]

This is the easiest way I've seen to discourage players from playing on the server Ideally, to die while exping on guards because you don't distinguish "I" from "l" 3 times

 

[Tofame]

Cant give you feedback without seeing code. But seeing code would make the system vulnerable (possibly).

Do you generate image with letters client-side or e.g. you are using API for that or you simply use "setText" in OTC?

 

[fridai]

no one likes those types of anti-bot systems, id rather play with bots than complete a quiz 10 times while im exping, it has been done multiple times already and feedback was always negative from normal players, but i'm not rating your code, just the type of solution remember.

 

[Unknown Soldier]

It's not only anti bot system, it's anti player system too. You wouldn't have bots, but also players.

This would be so annoying to have those windows popping up during the hunt and covering game screen. This is no less harmful for players than botting itself. Besides, what happens if this window will pop up during for example annihilator? Very, very bad idea in my opinion.

 

[SpiderOT]

Believe it or not, some players won't understand the captcha and others can't solve a one-digit math question
not to mention how annoying it is to interfere with players while hunting
You can set up effects on the ground that grant players a temporary boost, like increased experience or damage, for a few seconds when they step on them.
After some time, I realized that rewarding active players is more effective than punishing those who use bots.

 

[Night Wolf]

So, as someone who struggled myself for a long time trying to fight bots, I can tell you first off this problem is far from "beginner friendly".
Now, said that, here's my feedback on the approach you chosen:

1. Activity Monitoring:
   • After killing a certain number of creatures (default: 10), the system triggers a captcha challenge to verify the player's legitimacy.
2. Captcha Challenge:
   • Players have 120 seconds to solve a randomly generated captcha displayed on the client.
   • They have three attempts to submit the correct answer.
3. Warnings and Penalties:
   • Failing the captcha (either by timeout or incorrect answers) adds a warning to the player's account.
   • Accumulating three warnings results in an automatic ban for seven days (configurable).
4. Administrative Privileges:
   • Players with administrative roles are excluded from warnings or bans.
5. Features for Testing:
   • Includes reset commands for storages to make testing easy.
   • Displays a user-friendly interface with a timer and real-time updates.

1. Try to consider more metrics beyond just killing creatures, also amount has to be proportional. 10 creatures for someone going to a cave doing mas vis in 10 creatures at once is ridiculous. 1000 creatures for someone hunting using assisted bot to fight at their own level range is quite high and rewarding.

2. This won't solve assisted botting, so you want to focus exclusively in entire afk bots?

3. I think any pixel bot today can identify messages in the screen. Beware to not make (if anything) bots smarter
------------------------
Ultimately, this will hurt the gameplay of several players (for the hassle) to punish 5% of players who might be fully afk botting. There are better ways to test players, even with afk botting without actually having them interact. Think about how bots work, common configurations and what do they represent in terms of data, then you'll see further ways to detect it.

 

[JeiDi]

Nice learning experience for you, that's for sure.
But if you want to have a server without bots, here's already bulletproof, battle-tested solution:
https://dev.epicgames.com/docs/game-services/anti-cheat?sessionInvalidated=true

 

[Marko999x]

Its weird if this pops up every few minutes randomly + bot can prob detect it
I think the best solution would be to allow botting but just limited?
SpiderOT has a great example in my opinion:

People can stay on 1 sqm and spam Heal and Ue with macro ( macro ingame ) and getting experience ( limited ) because monster spawn every 20+ seconds while active people can move around and lure all monsters from all kind of places ( more experience )

AFK players = Killing about 8 monsters every 20 seconds
Active players = Killing about 50+ monsters every 20 seconds

 

[Keal Atis]

Instead of a captcha with complicated text, try simply checking the "I am not a bot" checkbox - bots shouldn't be able to check it because they are bots.

Also in there days you can make just good logs and analyze it using AI.

1. Player behavior analysis

• Collect data on player actions (moves, spell use, attacks).
• Analyze how long players remain active without interruption.
• Monitor reaction times to various game events.

Identify bot patterns:
Check whether players' actions are repetitive (e.g., cyclic use of spells every certain time).
Detect unrealistically fast reactions (e.g., immediate healing after receiving damage).

2. Detection system design

1. Auto-Heal
   Detect rapid healing: Log the reaction time to damage (e.g., immediate use of a healing spell).
   Set a threshold for the minimum reaction time below which a bot is suspected.
   Random damage algorithm:
   Add a random damage mechanic to test damage, e.g. an “invisible” monster, and check the response.
   
   
2. Anti-Kick
   Activity monitoring: Check if the player performs regular actions (e.g., moves every exactly 30 seconds).
   Log non-response to random server messages (e.g., "Answer a question in 10 seconds").
   
   
3. Auto-Target
   Attack analysis: Verify that the player changes targets ideally (e.g., immediately after the death of one opponent).
   Set up test opponents with different priorities and monitor the player's behavior.

3. Tips

• Avoid harsh actions at first. Instead of an immediate ban, give warnings or collect more evidence.
• Randomness - introduce random elements that disrupt bots, such as changing the position of items in inventory.
• Player collaboration - use reports from players as additional data for bot detection.
• Anonymity of mechanisms - don't publicly disclose details of how the system works, so as not to facilitate the creation of more sophisticated bots.

 

[Night Wolf]

Instead of a captcha with complicated text, try simply checking the "I am not a bot" checkbox - bots shouldn't be able to check it because they are bots.

Also in there days you can make just good logs and analyze it using AI.

1. Player behavior analysis

• Collect data on player actions (moves, spell use, attacks).
• Analyze how long players remain active without interruption.
• Monitor reaction times to various game events.

Identify bot patterns:
Check whether players' actions are repetitive (e.g., cyclic use of spells every certain time).
Detect unrealistically fast reactions (e.g., immediate healing after receiving damage).

2. Detection system design

1. Auto-Heal
   Detect rapid healing: Log the reaction time to damage (e.g., immediate use of a healing spell).
   Set a threshold for the minimum reaction time below which a bot is suspected.
   Random damage algorithm:
   Add a random damage mechanic to test damage, e.g. an “invisible” monster, and check the response.
   
   
2. Anti-Kick
   Activity monitoring: Check if the player performs regular actions (e.g., moves every exactly 30 seconds).
   Log non-response to random server messages (e.g., "Answer a question in 10 seconds").
   
   
3. Auto-Target
   Attack analysis: Verify that the player changes targets ideally (e.g., immediately after the death of one opponent).
   Set up test opponents with different priorities and monitor the player's behavior.

3. Tips

• Avoid harsh actions at first. Instead of an immediate ban, give warnings or collect more evidence.
• Randomness - introduce random elements that disrupt bots, such as changing the position of items in inventory.
• Player collaboration - use reports from players as additional data for bot detection.
• Anonymity of mechanisms - don't publicly disclose details of how the system works, so as not to facilitate the creation of more sophisticated bots.

The same has been extensively discussed here: How can we discourage botting? (https://otland.net/threads/how-can-we-discourage-botting.273406/)

I also tackled the same chatgpt suggestion another guy made at page 6

 

[leik meris]

I understand the feedback and have read your points. Most mention how annoying the captcha message can be, and I completely understand. I’m not an active server player; I’m just a developer with little experience in this area. However, I’ve come up with possible adjustments to improve the system:

Adjusting captcha triggers:
Instead of basing it on the number of monsters killed, implement a system that relies on player reports and the observation of suspicious players. Captchas would only be sent to flagged players, minimizing disruptions for others.

Passive behavior analysis:
Create a system to monitor player behavior automatically without interrupting gameplay, such as:

• Detecting repetitive patterns (e.g., healing, spell casting, movements).
• Analyzing reaction times to in-game events (e.g., taking damage).
  This system could calculate a "suspicion score" and trigger verification only for players who exceed a certain threshold.

 

[Bloodbringer]

I think captcha as a way to detect botters is a great idea. Bots are the biggest plague of ots nowadays and having those measures would surely be super efficient. There are ways to make sure you don't bother normal players too much while making the life of the botter harder.

Miracle has just implemented a "similar" system where you are teleported to a room and have to walk to a tile then answer a math question, and the teleport triggers at random right after you cast a rune spell.

 

[Gesior.pl]

I think captcha as a way to detect botters is a great idea

It's 2024. Captcha tasks like on this movie can be solved by AI in 0.001 sec. Get real captcha tasks like reCaptcha/hCaptcha (both pretty hard to complete even for humans) or do not use captcha at all.

1. Player behavior analysis

That's the best way to do it. That's what top games do (CS:GO, PUBG, LoL).
You can record all player network packets (cam system) and then analyse how they move/heal/attack with some PHP/Python script.

Warnings and Penalties

After years I've spent working on OTSes that wanted to ban exp bots, I know that only punishment that works is "delete account". To use that punishment, you must have system that detects ONLY bots (system detects potential botters, GODs verify them manually).
If you ban someone after X hours of botting for X days, it's still worth botting. Maybe not on main character, but it's worth to run 10 MCs with bot and make some money/runes, get banned and then transfer money to main character after X days.

Banning some bots (ex. elfbot and OTC bot) is not fair for normal players. Basic tools to detect client-side bots may block 99% of bots, but there is 1% of hackers that will make custom bots just to bot on your server.
I've once added .dll to client that blocked all popular bots and number of botters went from 500 online to 3 online in 1 day (client crashed, when bot was detected on client), but there was still 1 guy who made custom bot for OTS and shared it with his 2 friends to bot. I've checked him manually, he was active (talked with me), but his attack/heal/walk (cam systewm) patterns were 100% bot, so he get account deletion.

You don't need any tool. Check bots manually of GOD - it's easier with cams system tool to detect bots heal/attack/walk patterns -, delete accounts after first bot detection and in few days you will have 0 bots online.

 

[JeiDi]

That's the best way to do it. That's what top games do (CS:GO, PUBG, LoL).

Top games use kernel-level anti-cheat. That's the best and only way to protect the game (and even that is not perfect)

Vanguard, Battleye, FACEIT Client Anti-cheat, EAC—all these are kernel-level, and each would block 100% of commercial tibia bots available for OTS.

Since this is a popular thread, I'll mention it again—EAC is 100% free. My friends added it to the OT; since then, no bot has been updated to work on the server. Additionally, it's [anticheat] being updated very often for free by true professionals.

The only real reasons OT devs are not taking advantage of this free solution to the botting case are that they are not skilled enough to implement it or want players to bot on their server. (This sentence is not a fact but my personal opinion)

You don't need any tool. Check bots manually of GOD - it's easier with cams system tool to detect bots heal/attack/walk patterns -, delete accounts after first bot detection and in few days you will have 0 bots online.

This is a 100% bad idea. I've been doing that on a server with only 250 concurrent unique players online, and it was effectively a 24/7 job that didn't result in banning all bad actors. (Even when I banned not only the bot account but all accounts connected to the botting player it wasn't enough to make people not bot) - again, EAC solved that issue.

 

[Marko999x]

Top games use kernel-level anti-cheat. That's the best and only way to protect the game (and even that is not perfect)

Vanguard, Battleye, FACEIT Client Anti-cheat, EAC—all these are kernel-level, and each would block 100% of commercial tibia bots available for OTS.

Since this is a popular thread, I'll mention it again—EAC is 100% free. My friends added it to the OT; since then, no bot has been updated to work on the server. Additionally, it's [anticheat] being updated very often for free by true professionals.

The only real reasons OT devs are not taking advantage of this free solution to the botting case are that they are not skilled enough to implement it or want players to bot on their server. (This sentence is not a fact but my personal opinion)




This is a 100% bad idea. I've been doing that on a server with only 250 concurrent unique players online, and it was effectively a 24/7 job that didn't result in banning all bad actors. (Even when I banned not only the bot account but all accounts connected to the botting player it wasn't enough to make people not bot) - again, EAC solved that issue.

Can u send me the ip of your friends server?

 

[Gesior.pl]

This is a 100% bad idea.

I did not say it's a 100% good idea. It's idea to ban all exp bots.
We banned 100% bots using client side or server side code and number of players online dropped from 2000+ to 200+ in few days. It looks like most of players prefer to bot. I did not say that banning exp bots is a good idea.

Even when I banned not only the bot account but all accounts connected to the botting player it wasn't enough to make people not bot

You are still talking about banning. Just delete their accounts, they won't come back. Of course you got to broadcast to everyone that these players get deleted.

From my experience, they did never come back (on given anti-bot edition). If they start to bot, it takes ~4 hours to get 20 level and you delete their accounts in 1 hour, they won't bot.
That's why it takes so much time on real-tibia and other games to pass 'tutorial'/'X level'. If you spend X hours to pass single player game (rook), there is a lot of data to process (easy to detect bot).

 

[kay]

I think captcha as a way to detect botters is a great idea. Bots are the biggest plague of ots nowadays and having those measures would surely be super efficient. There are ways to make sure you don't bother normal players too much while making the life of the botter harder.

Sorry, but it's a terrible idea. It will annoy real players equally or even more than cheaters.
It can only do something to cheaters that go completely afk, and I mean completely afk, without any alarms even, but these are quite easy to get anyway. Meanwhile, it will be the most efficient in annyoing real players, or even putting them in danger sometimes.

 

[Marko999x]

Im still suprised server owner prefer 400 afk players over 100 active players

 

[Bloodbringer]

Sorry, but it's a terrible idea. It will annoy real players equally or even more than cheaters.
It can only do something to cheaters that go completely afk, and I mean completely afk, without any alarms even, but these are quite easy to get anyway. Meanwhile, it will be the most efficient in annyoing real players, or even putting them in danger sometimes.

It would be good for preventing macro rune makers that inflate the economy. (which is the biggest chunk by far of the bot/macro problem).

We already have an experiment going on with thousands of players on Miracle where players are teleported to a room after casting a rune spell, and it seems to be going fine, there was not much complains from real players on it being annoying, in fact it seems to have been well received to prevent botting, and that one is more disruptive than a simple pop-up with captcha.
My opinion is influenced by this ongoing experiment which provides us with real data that this can work, I feel a captcha would be better at preventing bots as current one in Miracle is bypassable with anyone that can use chatgpt + python while bypassing Captcha is much harder / costly even for a developer (considering its a good captcha).

You can always add a set of rules so initially it only works if you detect it is someone rune making with afk / semi-afk so you don't bother people actively hunting, altho of course cavebotting could happen but it is much more rare. This could be combined with other pattern recognition methods like leik said.