danielga
commented
2 years ago I've got a possible solution on this release candidate. It should validate most of the packet data before allowing it through. I've tested it against a legit Windows Garry's Mod client so it should work for legit clients, don't have a way to test against attackers though.
Many sandbox servers were attacked using an invalid steam authorization packet size without sending a handshake initialization packet:
Tested without attack, here is valid steam auth size:
