Hi Fletcher, I was just hoping you could clarify something for me. For A2S_PLAYER, is the challenge still required once the 1200 byte minimum is implemented? And if so, does the challenge query need to be >1200 bytes, or just the subsequent A2S_PLAYER query which includes the challenge response?
Thanks! Dave On Wed, Nov 18, 2020 at 7:53 PM Fletcher Dunn - fletcherd at valvesoftware.com (via csgo_servers list) < csgo_servers@list.valvesoftware.com> wrote: > A Steam client beta has just been released, with the following change > notes relevant to the A2S_INFO discussion: > > > > *Server Browser* > > · Server browser packets (A2S_INFO, A2S_PLAYER, A2S_RULES) sent by > clients will now be at least 1200 bytes. (For more details, see > https://steamcommunity.com/discussions/forum/14/2989789048633291344/) > Third party tools that send these packets are especially encouraged to read > this thread.) > > · Improved gameserver challenge generation to harden against > certain DoS attacks > > > > > https://steamcommunity.com/groups/SteamClientBeta/announcements/detail/2896339990496271925 > > > > Also, if you use the steamclient.dll/.so with that beta, you can activate > the new, stricter message handling on the gameserver by setting the > environment variable STEAM_GAMESERVER_MIN_CONNECTIONLESS_PACKET_SIZE=1200 > > > > This is just the *beta* steam client, not the full public release. Only > a set of users will be using this client, and we are not quite to > deployment step #1 described below. > > > > > > > > *From:* Fletcher Dunn > *Sent:* Monday, November 16, 2020 4:47 PM > *To:* 'hlds_annou...@list.valvesoftware.com' < > hlds_annou...@list.valvesoftware.com> > *Subject:* RFC: Changes to the A2S_INFO protocol > > > > Hello! > > > > Over the next couple of months we will be releasing some changes to how > servers and clients using steamclent.so/dll handle the venerable Source > engine A2S_INFO message used by the server browser. This includes the > Steam client server browser, all Source engine games, and all Steam games > using the ISteamMatchmaking API. The purpose of these changes is a long > overdue fix for a reflection attack vulnerability. > > > > This email is to let you know what those plans are and to solicit your > feedback. Fixing the vulnerability requires changing the protocol and will > necessarily break existing third party utilities that speak the protocol. > > > > Currently, the A2S_INFO packet looks like this: > > 4 bytes: 0xFFFFFFFF > > 1 byte: 0x54 (A2S_INFO packet type identifier) > > 20 bytes: "Source Engine Query\0" > > > > The proposal is for clients to modify the A2S_INFO packet they send in > one of two ways: > > > > Option 1: Pad the message with zeros, so that the request is larger than > the reply. The passes size is TBD, but it will probably be at least 800 > bytes, and perhaps as high as 1200. Feedback is requested concerning this > size. > > > > Option 2: Append a 4-byte anti-spoofing challenge obtained using the > existing A2S_PLAYER or A2S_RULES messages. > > > > Note that both options produce a packet that is acceptable to the current > code in steamclient.so/dll. However, any custom handlers might have > stricter behavior, and will need to be updated to be aware than “extra” > data might appear after the end of the magic string in packets from > legitimate clients. > > > > Once all clients are using one of these two options, a server wishing to > avoid being vulnerable to reflection attacks could drop any A2S_INFO > packets below a minimum size without a challenge. > > > > The changes would be deployed as follows: > > > > 1.) First, we will release a new Steam client that sends A2S_INFO > messages padding to a minimum size. (Option #1 above.) Since it takes > time for Steam client updates to roll out to all Steam users, and for third > parties to change their code to make queries in the new format, we will not > change the server to require the new format by default. However, the > server code will be updated to look for an environment variable that can be > used to opt into the new, stricter behavior. This is so that third parties > can test their clients to make sure they are compliant with the new server > code. > > 2.) As more clients upgrade to the new code and third party tools are > updated to send queries in the new format, server operators may elect to > opt into the new behavior at their discretion using the environment > variable. > > 3.) After some time has passed (and we have posted several warnings > on this mailing list), we will ship a new steamclient.so/.dll that has > the strict behavior enabled by default. A different environment variable > can be used to use the older, more permissive behaviour. > > > > If you have any concerns or feedback about this change, please post it to > hlds_annou...@list.valvesoftware.com. After feedback has been collected > and details finalized, I’ll post again with more technical details about > the changes that are going to be made. > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/ > -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/
