Thanks for the updates. I assume this means that the "TSource Engine Query\0" remains in place, and the challenge response (when provided) gets appended after the trailing null byte?
Also, this may be a silly question, but is there a smaller padded packet size that could be used, which doesn't trigger DDoS protections but is still big enough that it makes a reflection attack less appealing to the asshats who launch them? Just curious. Thanks, Dave On Thu, Dec 3, 2020 at 10:54 PM Fletcher Dunn - fletcherd at valvesoftware.com (via csgo_servers list) < csgo_servers@list.valvesoftware.com> wrote: > A steam client beta has been released: > > > > > https://steamcommunity.com/groups/SteamClientBeta/announcements/detail/2896341257765264787 > > > > It understands how to respond if the server issues a challenge in response > to an A2S_INFO request. Importantly because of the existing filtering > environment servers run in, the client will behave EXACTLY as it did > before, until the server replies in the new method. ( > https://twitter.com/ZPostFacto/status/1334700095221104640) > > > > The protocol is now as follows: > > > > · Client will send the exact A2S_INFO packet that it has always > sent, no more, no less. > > · A new server will reply with a challenge, using the same > S2C_CHALLENGE packet that’s used for the A2S_PLAYERS and A2S_RULES > packets. (Indeed, if a client is quick enough, it can use the same > challenge for multiple requests.) > > · Now, a client will send a A2S_INFO with the challenge appended. > Also: *DO NOT ASSUME THAT ANY EXTRA BYTES AFTER THE CHALLENGE ARE INVALID*. > This is reserved for future expansion to the protocol! There are some more > protocol changes in development right now designed to have the client > obtain more information from the master server, thus reducing the amount of > information that must come from the server. Those improvements won’t be > possible if assumptions are made about packet sizes! > > > > I’ll post again when there are server binaries available that can opt into > the new behavior, fixing the reflection attack vulnerability. You will not > want to opt in until all clients you care about are speaking the new > protocol. For steam clients, that will probably at least a couple of weeks. > > > > Please share this with any authors of third party clients that you know! > > > > > > *From:* csgo_servers@list.valvesoftware.com < > csgo_servers@list.valvesoftware.com> > *Sent:* Thursday, December 3, 2020 2:42 PM > *To:* 'hlds_annou...@list.valvesoftware.com' < > hlds_annou...@list.valvesoftware.com>; csgo_servers@list.valvesoftware.com > *Subject:* [Csgo_servers] Changes to A2S_INFO - take 2 > > > > The previous change to pad the server browser query A2S_INFO packets has > triggered some aggressive Anti-DDoS filters for some games. This change > was made to address a reflection amplification attack in the protocol. So > it looks like we will need to address the vulnerability by securing the > response with a challenge, in the same way that the A2S_PLAYERS and > A2S_RULES queries work. We’ll be releasing a new client soon that sends > the small A2S_INFO packets again, but also understands how to reply to a > server that replies with a challenge instead of the data. This protocol > does make it more complicated to write a custom client for the protocol > (although not drastically so), and means that the query traffic cannot be > trivially filtered at the edge. Unfortunately, it looks like in the > current environment, that is what we need to do. > > > > Further bulletins as events warrant. > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/ > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/ > -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/
