Facepunch tackle DDOS attacks: “We can’t have the fate of your Rust hanging on the whim of script kiddies”

Facepunch have tackled the source of exploits used in the Rust DDOS attacks.

Rust is out on Early Access; here’s our Rust review.

Thank goodness for honest toil. In lieu of anything work-related to worry about, the last week has seen humankind engage in a multitude of sins. Many chose to leave the TV on long enough to witness 1995’s Casper the Friendly Ghost in its entirety; an oddball few decided to spend their post-Christmas period pummeling the servers of Garry ‘Garry’s Mod’ Newman’s Lord of the Flies-ish survival sim, Rust, into inertia.

“We know it’s not totally our fault,” wrote Garry on Friday, “but at the same time it is. If you have exploits then people are going to exploit them. That’s just how the world works.”

Ordinarily – and it breaks my heart to admit that malicious attacks on games and their developers are now the norm, but they are – DDOS attackers bombard a server with so much traffic that it becomes totally unusable. That’s not been the case here: instead, attackers have periodically targeted occupied servers with empty packets via Rust’s third-party networking library, uLink.

The library has served Facepunch well, allowing the studio to stuff 300 players on a server at once. But Newman noted on Friday that it’s “not without its issues”.

“I get the feeling that it’s not that widely used – so there’s a lot of relatively simple exploits that haven’t been found,” he wrote. “I’ve optimistically reported the latest issues to them, but we’re not that hopeful that we’ll get a timely fix. We’d love to take matters into our own hands but we can’t look into the issues and fix them ourselves because all their code is obfuscated.”

Newman apologised for the attacks, which he took a degree of responsibility for. “We hope they get bored soon and everyone can get back to playing and we can get back to making,” he said. “Until that happens we all have to suffer through this crap.”

At the time, Facepunch appeared to be considering dramatic backup plans – detaching Rust from uLink in favour of a different networking library, or one they’d rewrite themselves. By Saturday, however, the hackers had begun to lose interest, and Facepunch were working directly with uLink’s creators to plug the holes.

“We could not be happier with the dedication they’re showing us right now,” said Garry in a follow-up post. “Doubly so considering it’s the weekend, and the holidays.”

Attacks have continued “on and off” in the days since – but after calling for information from players and the attackers themselves, Facepunch pushed out an update yesterday that should have resolved the most pressing problems.

“Thanks for sticking with us and being patient while we’ve muddled our way through these issues,” wrote Newman. “The servers aren’t bulletproof, but hopefully we’ve made it a bit harder to completely take them down.”

Now Facepunch can return to Rust’s bugs which, given the game’s placement in Steam Early Access, are understandably legion. Rust’s community have been pretty vocal about those, as well as the cheats, aimbots and wallhacks that have popped up in recent weeks.

“We probably haven’t made it clear enough what our strategy [on cheating] is, or how it works,” said Newman. “VAC is active. VAC doesn’t ban people straight away. It doesn’t try to stop people cheating. It logs them. The bans are validated. Then they are all banned in a wave. This could take a week, it could take a month, it could take 3 months. But rest assured that hackers will be VAC banned – so please do not be tempted to cheat.”

In short, Facepunch continue to ask lots of patience from their playerbase – but early accounts suggest Rust’s been worth it. How’ve you lot found the game that’s sat steadfastly in Steam’s top seller’s list, despite the ongoing Holiday Sale?