The new gameserver code will drop all A2S_PLAYER packets < 1200 bytes, if the environment variable is set. No challenge is necessary for packets >= 1200, but if the environment variable is set to allow <1200 packets, then the challenge will be required for such packets.
The new client code will always send 1200 byte packets. It will also know how to do the challenge handshake, for compatibility with old servers. From: [email protected] <[email protected]> On Behalf Of David Parker Sent: Monday, November 23, 2020 10:39 AM To: [email protected] Subject: [External Mail] Re: [Csgo_servers] Steam Client beta released with changes to the A2S_INFO protocol Hi Fletcher, I was just hoping you could clarify something for me. For A2S_PLAYER, is the challenge still required once the 1200 byte minimum is implemented? And if so, does the challenge query need to be >1200 bytes, or just the subsequent A2S_PLAYER query which includes the challenge response? Thanks! Dave On Wed, Nov 18, 2020 at 7:53 PM Fletcher Dunn - fletcherd at valvesoftware.com<http://valvesoftware.com> (via csgo_servers list) <[email protected]<mailto:[email protected]>> wrote: A Steam client beta has just been released, with the following change notes relevant to the A2S_INFO discussion: Server Browser • Server browser packets (A2S_INFO, A2S_PLAYER, A2S_RULES) sent by clients will now be at least 1200 bytes. (For more details, see https://steamcommunity.com/discussions/forum/14/2989789048633291344/) Third party tools that send these packets are especially encouraged to read this thread.) • Improved gameserver challenge generation to harden against certain DoS attacks https://steamcommunity.com/groups/SteamClientBeta/announcements/detail/2896339990496271925 Also, if you use the steamclient.dll/.so with that beta, you can activate the new, stricter message handling on the gameserver by setting the environment variable STEAM_GAMESERVER_MIN_CONNECTIONLESS_PACKET_SIZE=1200 This is just the beta steam client, not the full public release. Only a set of users will be using this client, and we are not quite to deployment step #1 described below. From: Fletcher Dunn Sent: Monday, November 16, 2020 4:47 PM To: '[email protected]<mailto:[email protected]>' <[email protected]<mailto:[email protected]>> Subject: RFC: Changes to the A2S_INFO protocol Hello! Over the next couple of months we will be releasing some changes to how servers and clients using steamclent.so/dll<http://steamclent.so/dll> handle the venerable Source engine A2S_INFO message used by the server browser. This includes the Steam client server browser, all Source engine games, and all Steam games using the ISteamMatchmaking API. The purpose of these changes is a long overdue fix for a reflection attack vulnerability. This email is to let you know what those plans are and to solicit your feedback. Fixing the vulnerability requires changing the protocol and will necessarily break existing third party utilities that speak the protocol. Currently, the A2S_INFO packet looks like this: 4 bytes: 0xFFFFFFFF 1 byte: 0x54 (A2S_INFO packet type identifier) 20 bytes: "Source Engine Query\0" The proposal is for clients to modify the A2S_INFO packet they send in one of two ways: Option 1: Pad the message with zeros, so that the request is larger than the reply. The passes size is TBD, but it will probably be at least 800 bytes, and perhaps as high as 1200. Feedback is requested concerning this size. Option 2: Append a 4-byte anti-spoofing challenge obtained using the existing A2S_PLAYER or A2S_RULES messages. Note that both options produce a packet that is acceptable to the current code in steamclient.so/dll<http://steamclient.so/dll>. However, any custom handlers might have stricter behavior, and will need to be updated to be aware than “extra” data might appear after the end of the magic string in packets from legitimate clients. Once all clients are using one of these two options, a server wishing to avoid being vulnerable to reflection attacks could drop any A2S_INFO packets below a minimum size without a challenge. The changes would be deployed as follows: 1.) First, we will release a new Steam client that sends A2S_INFO messages padding to a minimum size. (Option #1 above.) Since it takes time for Steam client updates to roll out to all Steam users, and for third parties to change their code to make queries in the new format, we will not change the server to require the new format by default. However, the server code will be updated to look for an environment variable that can be used to opt into the new, stricter behavior. This is so that third parties can test their clients to make sure they are compliant with the new server code. 2.) As more clients upgrade to the new code and third party tools are updated to send queries in the new format, server operators may elect to opt into the new behavior at their discretion using the environment variable. 3.) After some time has passed (and we have posted several warnings on this mailing list), we will ship a new steamclient.so/.dll<http://steamclient.so/.dll> that has the strict behavior enabled by default. A different environment variable can be used to use the older, more permissive behaviour. If you have any concerns or feedback about this change, please post it to [email protected]<mailto:[email protected]>. After feedback has been collected and details finalized, I’ll post again with more technical details about the changes that are going to be made. _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/ -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/ _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/
