A steam client beta has been released:
https://steamcommunity.com/groups/SteamClientBeta/announcements/detail/2896341257765264787
It understands how to respond if the server issues a challenge in response to
an A2S_INFO request. Importantly because of the existing filtering environment
servers run in, the client will behave EXACTLY as it did before, until the
server replies in the new method.
(https://twitter.com/ZPostFacto/status/1334700095221104640)
The protocol is now as follows:
*Client will send the exact A2S_INFO packet that it has always sent, no
more, no less.
*A new server will reply with a challenge, using the same S2C_CHALLENGE
packet that's used for the A2S_PLAYERS and A2S_RULES packets. (Indeed, if a
client is quick enough, it can use the same challenge for multiple requests.)
*Now, a client will send a A2S_INFO with the challenge appended. Also:
DO NOT ASSUME THAT ANY EXTRA BYTES AFTER THE CHALLENGE ARE INVALID. This is
reserved for future expansion to the protocol! There are some more protocol
changes in development right now designed to have the client obtain more
information from the master server, thus reducing the amount of information
that must come from the server. Those improvements won't be possible if
assumptions are made about packet sizes!
I'll post again when there are server binaries available that can opt into the
new behavior, fixing the reflection attack vulnerability. You will not want to
opt in until all clients you care about are speaking the new protocol. For
steam clients, that will probably at least a couple of weeks.
Please share this with any authors of third party clients that you know!
From: csgo_serv...@list.valvesoftware.com
Sent: Thursday, December 3, 2020 2:42 PM
To: 'hlds_announce@list.valvesoftware.com'
; csgo_serv...@list.valvesoftware.com
Subject: [Csgo_servers] Changes to A2S_INFO - take 2
The previous change to pad the server browser query A2S_INFO packets has
triggered some aggressive Anti-DDoS filters for some games. This change was
made to address a reflection amplification attack in the protocol. So it looks
like we will need to address the vulnerability by securing the response with a
challenge, in the same way that the A2S_PLAYERS and A2S_RULES queries work.
We'll be releasing a new client soon that sends the small A2S_INFO packets
again, but also understands how to reply to a server that replies with a
challenge instead of the data. This protocol does make it more complicated to
write a custom client for the protocol (although not drastically so), and means
that the query traffic cannot be trivially filtered at the edge.
Unfortunately, it looks like in the current environment, that is what we need
to do.
Further bulletins as events warrant.
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/
