ValveSoftware / Source-1-Games

Source 1 based games such as TF2 and Counter-Strike: Source
660 stars 76 forks source link

[L4D2] Did valve know your matchmaking system in L4D2 was cracked and hijacked ? #5297

Open GameRookies opened 1 year ago

GameRookies commented 1 year ago

some L4D2 server owner through send fake lobby datapack(maybe speical UDP datapack?) to the master server, insert and spam their server's IP into the lobby list queue. when players choose quickmatch or lobby list in L4D2, they can only connect to the spam server, the other valve official server and community server are both hardly to be connected through the matchmaking system. The HACKER wants every player join his PAY-FOR-PLAY server to get money. It happens on all of the L4D2 master server in China.

Actually, I don't know how did they use this exploit. These servers have no lobby cookies, but player can still join them from lobby list and quickmatch. I hope the lobby serverside can improve some verification in order to prevent the vicious server spam their IP in the lobby list.

btw: sorry for my bad english.

ashyerv commented 1 year ago

yea , valve plz fix it!

NULLYUKI commented 1 year ago

This issue might be related to #5101

GameRookies commented 1 year ago

not exactly. The matchmaking system which build in L4D2 was hijacked covertly by cracker. In your case, you can choose the correct server by yourself from the list , but when Chinese players started a connection request from L4d2 , they would be redirected to the cracker's server automaticlly.

This issue might be related to #5101

Diver76 commented 11 months ago

Based on my observations, approximately 60% of the Chinese L4D servers introduces paid content and identifies themselves as RPG servers. Their owners ensure a significant presence on the matchmaking system by purchasing hundreds of steam accounts to keep them their server active, this results in a higher chance for players to be matched with these servers. In order to prevent bug that sometimes can't join, server owners commonly employ a trick: when the first player is connecting, they set the"sv_allow_lobby_connect_only" to 0 and clear the lobby cookies, but their servers can still be matched for a period of time, I'm unsure if this is justified. China currently has no official servers dedicated to matchmaking, and I hope that Valve can consider add a few official servers in China specifically for this purpose.

Kaze1027 commented 11 months ago

Valve fix it, please.

Tsuey commented 8 months ago

Partial duplicate of https://github.com/ValveSoftware/Source-1-Games/issues/5563 which was patched today.

See the linked issue for more, but the gist is that lobby and mid-game redirects to other servers became commonplace because the lobby / matchmaking system was too trusting, allowing an attacker to perform any action without actually being in the lobby.

L4D2 now has a lot of extra checks to verify that the lobby's host and guests actually belong there.

GameRookies commented 8 months ago

Partial duplicate of #5563 which was patched today.

See the linked issue for more, but the gist is that lobby and mid-game redirects to other servers became commonplace because the lobby / matchmaking system was too trusting, allowing an attacker to perform any action without actually being in the lobby.

L4D2 now has a lot of extra checks to verify that the lobby's host and guests actually belong there.

Sincere thanks to Tsuey for the new patch. Here is a test report on the new update released on 3/12 :

EST 01:00 AM, 3/13

Unfortunately, the new update patch did't take effect on Chinese masterserver. Everything remains the same as before, the matchmaking system still redirects players to the cracked server.

EST 01:00 PM, 3/13

12 hours later, the situation seems to have taken a turn.

Most of masterserver nodes in China have already stopped redirecting players to the cracked server. It is currently uncertain whether it was intentionally halted by crackers, or if the updates took such a long time to activated?

Anyway, it seems everything is progressing in a positive direction, but I'm not sure the exploit has been completely resolved. Thanks again to Tsuey and valve team for their work, hope you can continue to pay attention.

EST 05:00 AM, 3/14

Bad news, update patch is failed, the Chinese matchmaking system back to redirects players to the cracked server.

GameRookies commented 8 months ago

Partial duplicate of #5563 which was patched today.

See the linked issue for more, but the gist is that lobby and mid-game redirects to other servers became commonplace because the lobby / matchmaking system was too trusting, allowing an attacker to perform any action without actually being in the lobby.

L4D2 now has a lot of extra checks to verify that the lobby's host and guests actually belong there.

Please notify valve the new update patch did't take effect in China …… Everything remains the same as before, the matchmaking system still redirects players to the cracked server.

Diver76 commented 8 months ago

Replying to https://github.com/ValveSoftware/Source-1-Games/issues/5297#issuecomment-1997163315

Because what happened in China has nothing to do with this update.They didn't use any redirects but abused the matchmaking system itself. Once I figured out exactly how they did it, I realized that this problem would never be completely solved without redesigning the matchmaking system. It is no longer a problem that can be solved by patching or adding additional validation, the design of the current matchmaking system is fatally flawed and allows anyone to abuse it in a variety of ways at minimal cost, just like group bindings have been abused and server list spam , all of this All because of Valve's poor design.

Diver76 commented 8 months ago

The problem is no longer as simple as I mentioned a few months ago. Because I don't think Valve will be able to fully resolve this issue anytime soon, I don't want to go into too much detail here, which might allow things to spread and get worse. I think a lot of people are here right now looking for answers and joining in on the abuse of the matchmaking system. Also, I think GameRookies' video may not show all the issues, I hope Tsuey can contact me via email to get more information. my email: diver76@163.com

Tsuey commented 8 months ago

The problem is no longer as simple as I mentioned a few months ago...

I recommend reading a security policy -- such as this one.

Diver76 commented 8 months ago

The problem is no longer as simple as I mentioned a few months ago...

I recommend reading a security policy -- such as this one.

Thanks, I've left a message for you in discord.

GameRookies commented 8 months ago

reply to https://github.com/ValveSoftware/Source-1-Games/issues/5563#issuecomment-1998883450

The demonstration video : https://youtu.be/_UhfV2q7BkU

I'm sorry for taking a week to update the post, as I'm not proficient at video recording and editing.

Just as you've seen, when using the in-game matchmaking feature in China, we always connect to certain fixed servers, without exception.

To avoid the video being too long, I simply demonstrated the current state of the matchmaking system in China. In reality, players will find themselves endlessly looping on these hijacked servers, with less than a 5% chance of connecting to other IPs. Before these servers cracked the matchmaking system, we used to randomly enter dozens or even hundreds of different servers every day through the matchmaking system. But now, we can only cycle through these few IPs.

I speculate that these servers might be employing a "redirect" technique different from the previous Russian servers, similar to the connection logs shown to us in https://github.com/ValveSoftware/Source-1-Games/issues/5563#issuecomment-1991283894. They somehow elevate the priority of their IP within the matchmaking system and distribute players to various ports (or other IPs) using some kind of "redirect" technique. After Valve became aware of potential issues with the matchmaking system last week, these hackers even activate this "hijacking" or "redirect" technique only during certain hours of the day(usually during peak times of online players) to evade the probability of being tracked.

Regardless of whether Valve or the TLS team can solve this problem, we just hope that this game in China will not become a tool for profit for a few people.

Kaze1027 commented 8 months ago

This exploit is going to ruin L4D2

Localia-cn commented 6 months ago

To find your favorite server, simply use the "openserverbrowser" command.

In China, RPG servers have dominated the matchmaking system for many years, and such problems are rare in other countries. Valve has established over 10,000 official servers for L4D2 worldwide, enabling players from Europe and America to easily connect with numerous local official servers. However, with the exception of Hong Kong, no official servers exist in any city in China. Consequently, almost all Chinese players are limited to third-party servers, turning the matchmaking system in China into a competition among these servers. This is also why more than half of the global third-party servers are located in China.

For many years, the owners of these RPG servers had limited knowledge of the matchmaking system. As a result, they would purchase a large number of accounts and leave them idle on the server to activate matchmaking, giving them an absolute advantage. However, some of them are now gaining a deeper understanding of the matchmaking systems and exploiting it more efficiently.

As mentioned by "Diver76," this is a design issue with L4D2's matchmaking system. Fixing the vulnerability cannot completely solve the problem in China, I believe that they will soon return and misuse it in a more expensive but irreparable manner. The owners of these RPG servers are wealthier and possess higher programming skills. Prior to this, they had already gained an advantage solely based on the number of their servers, but the situation will only worsen thereafter.

If Valve truly wants to take action, they should fix the vulnerability and add hundreds of official servers in cities such as Shanghai or Beijing. This would enable players in China to swiftly connect to official servers through the " Official Servers Only" option, similar to other countries, instead of being limited to third-party servers.