lobby list spam exploit

[GameRookies]

Description

some L4D2 server owner through send fake lobby datapack(maybe speical UDP datapack?) to the master server, insert and spam their server's IP into the lobby list queue. when players choose quickmatch or lobby list in L4D2, they can only connect to the spam server, the other valve official server and community server are both hardly to be connected through the matchmaking system. The HACKER wants every player join his PAY-FOR-PLAY server to get money. It happens on all of the L4D2 master server in China.

Actually, I don't know how did they use this exploit. These servers have no lobby cookies, but player can still join them from lobby list and quickmatch. I hope the lobby serverside can improve some verification in order to prevent the vicious server spam their IP in the lobby list.

btw: sorry for my bad english.

Reproduction steps

When player start game with "quickmatch" or "lobby list", the lobby queue is full with the simple spam server, valve official server and other community server are hardly to be connected.

P.S: only China's masterserver fall into this sitiuation.

Additional files

No response

[Kaze1027]

Yes, it's still happening every seconds, someone come and help us.

[Diver76]

similar problems : https://github.com/ValveSoftware/Source-1-Games/issues/5297

[Diver76]

Yes, it's still happening every seconds, someone come and help us.

They just simply created many servers then edited the UDP packets sent to the clients to display fake player counts and names, they even edited the timestamps to ensure their servers always appeared at the top of the list. CSGO has also been plagued by similar problems for many years. The reason these servers appear in your list is that they bind their servers to your steam group. Since 32-bit group ID can be easily derived from 64-bit ID, they can bind their servers to anyone's group. Valve has been aware of this issue for a long time, but they do not have any plans to fix it.