Several suggestions

[Not-a-Tyler]

1: Add some kind of shield hitting check. I have not found a single anticheat that can detect you blocking your shield and hitting someone at the same time, so I have to make a skript to detect this. My skript false flags sometimes if a player has high ping, so it currently just cancels the hit.

2. Add some kind of killaura bot that other anticheats can use when they flag killaura. I have several suggestions for this to not get bypassed by AntiBot. Always have the bot loaded in the player's render distance and teleport to the player when a command gets ran. Another thing you could do is have the bot steal someone else's name/skin on the server that's not the guy the suspected cheater is currently fighting.

3. Something else to prevent AntiBot would be to lie about everything being sent to players that a normal player couldn't see. Below I will list some examples I thought of.

4. For example to bypass the ping check in Antibot, if a player has anywhere from 0-150 ping just tell every other player that they have 0 ping, and every other bar just has the minimum amount of ping for that bar.

5. Another example would be spoofground (I'm not sure if this is possible since I don't know java) but AntiBot in some clients has an invalid ground check so maybe just show that every player is floating 100% of the time.

6. Another example could be gamemode, if you somehow spoof a survival mode player into creative (again I'm not sure if this is possible), if a hacked client thinks all players are in creative then it is not going to attack them.

7. Another example would be to stop clients from checking if a bot is on the server or not. If every player had a different tablist, tab-completion, and the player name above their head, then it would be extra hard for a client to determine if a bot is actually a real player in the server or not. You could do this by having some kind of zero-width space or alternate character that looks the same as the normal font different in all 3 of these places. The zero-width character works but it would have to be different on different versions, there isn't a character that works on every Minecraft version. I don't believe It would work as well on premium servers since clients will have the uuid of a player's skin due to the player's face in tablist and could base off of that rather than the name, but you could add an option to not render the players face so that this would work.

8. Another thing to spoof is item durability along with item amounts. Maybe also potion effects. I guess you could not send item nbt but check if the item has an enchant and send the spoofed one if it does.

9. Make the nametag of players not be from the player, but instead have them be from a separate entity, like have an invisible armor stand following every player with their name, instead of the actual player having the name.

10. Something else that would be nice is spoofing the server's plugins from hacked clients. I have plugin-hide but I can still see my server's plugins by running .server plugins massscan/bukkitver in meteor client.

11. Better xcarry detection. Using meteor client I equip random items as armor and leave them in my crafting area.

12. Prevent entity owner. In meteor client I can enable entity owner and see who owns what animal.

These are just things I thought you could add to AnticheatAdditions to make it better.

[Janmm14]

10. Something else that would be nice is spoofing the server's plugins from hacked clients. I have plugin-hide but I can still see my server's plugins by running .server plugins massscan/bukkitver in meteor client.

Denying the proper permissions blocks tab complete of specific commands like /ver or /icanhasbukkit. Using spigot config you can set like 3 min chars for general command tabcomplete.

. Most Antibot should still be capable to even identify bots when using the measures you provided.

Mounting stuff on player hides player nametag usually.

[Not-a-Tyler]

I made a skript with all of the suggestions I added in this with citizens and libsdesguises and I am unable to get FDP clients antibot to work at all. I think it would be easily bypassable if you knew how it worked. My skript is very bad at the moment and doesn't have the npc always loaded and it cant support 2 players. But I can't bypass it with antibot in fdp at least. Here is my testserver 71.87.162.163:25564 if you want to test, run /killaura playername

[Photon-GitHub]

Long ago, I had a bot check, but I removed it quite some time ago. It simply was not worth it. As my plugin was/is used on quite large servers, client coders tried to bypass it, and they would. In the end, they checked if the motion of the Bot was correct and limited the killaura to a certain field of view. In that regard, it was pretty much impossible to make the check useful as the bot would need to jump in the view of any normal player as well, invisible entities were obviously ignored. Also, the check got so large and time-intensive that it was my main task and it needed a recode for pretty much every new minecraft version. Therefore, I will not implement that anymore. A simple bot is not really interesting as most other checks of your main AC should detect any bad killaura.

Other than that: 1) The shield - hit check is a great suggestion, I will include it in a future version (though I will have exams soon, so it will probably take a month) 8) I could try and spoof item counts of players just like I spoof enchantments with EnchantmentHider right now. 9) That is interesting, but nametags are not easily hidden. What might be interesting is hiding the tablist of players in combat as that might trigger some antibots to see all players as potential bots and killaura not attacking anyone.

At last, I want to thank you for your suggestions, they wll be great additions :)

[Not-a-Tyler]

Ok, yea it would be easily bypassable with a field of view check. With libsdisguises I can set everyone's playername to either Dinnerbone or deadmau5 with the players actual name not rendered but have their armor stand name set. Libsdisguises also sets their ping to "-1" which I assume means it's not sending the ping at all, but their ping it tablist is normal. If I could figure out how to compile it I could change this to what ever I wanted and name it like "NoHackers" or something and only cheaters would be able to see it. Another kind of cheat detection I have is making players click a runcommand chat event that just runs .say something and if you just receive the something part and not the .say part then they're a cheater. This got patched in 1.19.1 because of chat reporting and its patched on liqulidbounce/fdp and wurst but still works on many clients including rise, aristois and most others. Also sorry for my bad English.

[Not-a-Tyler]

Something else I found than you may want to look into is wraiths vanillaspoof detection, it can detect meteor/wurst/aristois vanillaspoof modules and says something about a "blank message", with meteor/aristois you need fabric-api to get it to detect you. But aristois has a forced vanillaspoof so the player doesn't have to actually enable it and they just need to add fabric api via the addons marketplace in the client. Somehow it can also detect if you have the midnight controls mod with vanillaspoof on.

[Not-a-Tyler]

Another thing you may want to look into is using browser fingerprinting to ban players, when someone new joins make then go to a link in their webbrowser and that gets their fingerprint id using https://fingerprint.com/demo or https://noscriptfingerprint.com/ these are on github somewhere, there is basically no easy way to bypass this if you have some kind of antibot and an antivpn, the only way I found is either completely switching browsers or using tor (which an antivpn could block) reinstalling your browser doesn't work

[Photon-GitHub]

Yeah, I am not going to do that for several reasons:

1) This is way beyond the scope of my plugin. 2) There are legal problems with that, as that would mean your server needs a clause in a privacy policy and it might very well be saving personally identifiable data which is under additional protection. 3) It is really easy to bypass, just use the TOR browser without the vpn part or a private one. Even with a normal vpn most „antivpn“ plugins are not able to do anything, they usually just have lists of ip addresses of known vpns. Or even easier, just use a browser add-on that will generate a random fingerprint for you. The fingerprint is just the sent http data, so you can modify that.

[Photon-GitHub]

Shield check added in 8.4.0

[Photon-GitHub]

The suggestions I wanted to add is included in 9.0.0.