Re: [hlds_linux] Use an specific IP for Steam Connection to avoid hackers from disconnecting items
Yeah, let's disable TCP steam connection instead of fixing the protocol to allow setting the steam connection source IP. Having the steam connection in a different IP would allow a more reliable connection and be more friendly to DDoS filters. Currently there is a way to send a custom public IP by developing a library that helps you in the process, but steam seems to ignore it. Please consider that not all networks around the globe are fairy tales, and currently there are whole countries where servers can't get stable item connection and get to the server list because steamclient is not being friendly to networks that need different workarounds to mitigate DDoS attacks and hacking attempts. Not a valve/steamclient issue? Well, we are only having headaches hosting HLDS/SRCDS, we even hired coders to patch steamclient to allow a custom source ip, but we finally found that we can't do anything on ourside because the sent IP is being ignored. On 22-10-2014 21:00, Ryan Kistner wrote: > The behavior you described about IP binding is correct: Steam will > always use the IP bound to the Steam socket as the "public IP" > regardless of the IP that the game server is bound to. > > I'm not familiar with any sort of UDP spoofing attack either disguised > as the gameserver or Steam. I would assume such an attack would > require you know the client port number, connection ids of one > endpoint, and a sequence number inside the window. If you have any > packet captures of the attack that would be helpful to know. > > I would suggest using TCP to prevent such an attack, but the TCP > connection is disabled in server builds because of the "public IP" > problem you mentioned (because the TCP connection will not bind to the > game server IP). > > If the client port is the same as the game port (I think there's a > socket sharing cvar somewhere?) that might explain part of the > effectiveness of the spoof attack, in which case I would investigate > whether -steamport helps you. > > On 10/22/2014 3:24 PM, Rodrigo Peña wrote: >> Hello, >> >> "Hackers" are able to bring down the servers' steam connection by >> spoofing steam server IPs, as they know what IP address is being used by >> the gameserver to make the connection to steam backend (used for master >> list and item connection). >> >> Please implement a way to choose the source IP to use to connect to the >> steam servers so we can make it harder to hackers to make the server >> dissapear from the list and disconnect it from item server. >> >> Currently if you do some tricks like changing source-ip with iptables or >> a custom plugin to force the steam connection ip binding to a certain >> IP, the server will get a wrong Public IP, and then it will advertise it >> to the master list, resulting in refreshing players favorite server >> entry with the wrong public IP (where the gameserver won't accept >> connections), and also if you connect to the IP where the server is >> listening, you will show the wrong public IP at friends. >> >> Any words on this? >> >> Thanks! >> >> ___ >> To unsubscribe, edit your list preferences, or view the list >> archives, please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] Use an specific IP for Steam Connection to avoid hackers from disconnecting items
The behavior you described about IP binding is correct: Steam will always use the IP bound to the Steam socket as the "public IP" regardless of the IP that the game server is bound to. I'm not familiar with any sort of UDP spoofing attack either disguised as the gameserver or Steam. I would assume such an attack would require you know the client port number, connection ids of one endpoint, and a sequence number inside the window. If you have any packet captures of the attack that would be helpful to know. I would suggest using TCP to prevent such an attack, but the TCP connection is disabled in server builds because of the "public IP" problem you mentioned (because the TCP connection will not bind to the game server IP). If the client port is the same as the game port (I think there's a socket sharing cvar somewhere?) that might explain part of the effectiveness of the spoof attack, in which case I would investigate whether -steamport helps you. On 10/22/2014 3:24 PM, Rodrigo Peña wrote: Hello, "Hackers" are able to bring down the servers' steam connection by spoofing steam server IPs, as they know what IP address is being used by the gameserver to make the connection to steam backend (used for master list and item connection). Please implement a way to choose the source IP to use to connect to the steam servers so we can make it harder to hackers to make the server dissapear from the list and disconnect it from item server. Currently if you do some tricks like changing source-ip with iptables or a custom plugin to force the steam connection ip binding to a certain IP, the server will get a wrong Public IP, and then it will advertise it to the master list, resulting in refreshing players favorite server entry with the wrong public IP (where the gameserver won't accept connections), and also if you connect to the IP where the server is listening, you will show the wrong public IP at friends. Any words on this? Thanks! ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
[hlds_linux] Use an specific IP for Steam Connection to avoid hackers from disconnecting items
Hello, "Hackers" are able to bring down the servers' steam connection by spoofing steam server IPs, as they know what IP address is being used by the gameserver to make the connection to steam backend (used for master list and item connection). Please implement a way to choose the source IP to use to connect to the steam servers so we can make it harder to hackers to make the server dissapear from the list and disconnect it from item server. Currently if you do some tricks like changing source-ip with iptables or a custom plugin to force the steam connection ip binding to a certain IP, the server will get a wrong Public IP, and then it will advertise it to the master list, resulting in refreshing players favorite server entry with the wrong public IP (where the gameserver won't accept connections), and also if you connect to the IP where the server is listening, you will show the wrong public IP at friends. Any words on this? Thanks! ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
Re: [hlds_linux] R: re Mandatory TF2 update released
Uh... there are hosties in TF2 now? sweet! On Wed, Oct 22, 2014 at 12:00 PM, Nicola wrote: > aboom! killed Hostage with pistol_scout. (crit) > Disconnect: An issue with your computer is blocking the VAC system. > You cannot play on secure servers.. > Disconnect: An issue with your computer is blocking the VAC system. > You cannot play on secure servers. > > how fix this :( > > after the update i can't join any servers :| > ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
[hlds_linux] R: re Mandatory TF2 update released
aboom! killed Hostage with pistol_scout. (crit) Disconnect: An issue with your computer is blocking the VAC system. You cannot play on secure servers.. Disconnect: An issue with your computer is blocking the VAC system. You cannot play on secure servers. how fix this :( after the update i can't join any servers :| -Messaggio originale- Da: hlds_linux-boun...@list.valvesoftware.com [mailto:hlds_linux-boun...@list.valvesoftware.com] Per conto di Eric Smith Inviato: mercoledì 22 ottobre 2014 19:58 A: Half-Life dedicated Win32 server mailing list; Half-Life dedicated Linux server mailing list; 'hlds_annou...@list.valvesoftware.com' Oggetto: [hlds_linux] Mandatory TF2 update released We've released a mandatory update for TF2. The notes for the update are below. The new version number is 2455651. -Eric - - Scream Fortress Classic begins! - In preparation for Scream Fortress 2014 we've enabled all previous Halloween events - Fixed The Larval Lid not using the correct Blue team material ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
[hlds_linux] Mandatory TF2 update released
We've released a mandatory update for TF2. The notes for the update are below. The new version number is 2455651. -Eric - - Scream Fortress Classic begins! - In preparation for Scream Fortress 2014 we've enabled all previous Halloween events - Fixed The Larval Lid not using the correct Blue team material ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
[hlds_linux] Mandatory TF2 update coming
We're working on a mandatory update for TF2. We should have it ready soon. -Eric ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux