Redirect / Fake Server Report Megathread - ALL FAKE SERVERS POSTS GO HERE - Garry's Mod

[QUOTE=ertug20;52082434]I'm sure they did that a bunch of times. They can easily spin up a new VPS with hourly billing. Not a proper solution.[/QUOTE] I see, so how would they fix this? An update or something?

It seems like it might just be some angry basement dweller that wants too see nothing but the world burn. Could we please get a solution to this issue please?

[QUOTE=Stooge2;52082445]It seems like it might just be some angry basement dweller that wants too see nothing but the world burn. Could we please get a solution to this issue please?[/QUOTE] I already gave them my recommendations to slow down the "exploiters" higher up in the thread. I'm sure that they're hard at work on fixing the issue.

[QUOTE=ertug20;52082453]I already gave them my recommendations to slow down the "exploiters" higher up in the thread. I'm sure that they're hard at work on fixing the issue.[/QUOTE] Excuse my ignorance, but could a server owner change the gmsindex?

[QUOTE=Wavie;52082470]Excuse my ignorance, but could a server owner change the gmsindex?[/QUOTE] It's more of a parameter that the server sends to Valve when it wants to go on the master list. The better solution is to just block the old API which is ridiculously simple to "exploit" or "take advantage of". It's even on Valve's public wiki... I highly doubt that the individuals are using the steam-works API especially with how fast they're spinning up these VPSes. Clearly they are running on Linux which makes it even more difficult to take advantage of with the steamworks API.

[QUOTE=ertug20;52082479]It's more of a parameter that the server sends to Valve when it wants to go on the master list. The better solution is to just block the old API which is ridiculously simple to "exploit" or "take advantage of". It's even on Valve's public wiki...[/QUOTE] So why won't they just do that? Are there any cons to this method?

[QUOTE=Wavie;52082485]So why won't they just do that? Are there any cons to this method?[/QUOTE] Unfortunately, I'm not the person to ask that question to. What I can tell you is that they (FP) updated the game to use the steamworks API at least 3 years ago but Valve still accepts connections from the old API. There are absolutely no cons whatsoever. It's just an open liability.

[QUOTE=ertug20;52082479]It's more of a parameter that the server sends to Valve when it wants to go on the master list. The better solution is to just block the old API which is ridiculously simple to "exploit" or "take advantage of". It's even on Valve's public wiki... I highly doubt that the individuals are using the steam-works API especially with how fast they're spinning up these VPSes. Clearly they are running on Linux which makes it even more difficult to take advantage of with the steamworks API.[/QUOTE] So why aren't they just using your method [u]as well[/u] as blocking the old API?

[QUOTE=ertug20;52082479]It's more of a parameter that the server sends to Valve when it wants to go on the master list. The better solution is to just block the old API which is ridiculously simple to "exploit" or "take advantage of". It's even on Valve's public wiki... I highly doubt that the individuals are using the steam-works API especially with how fast they're spinning up these VPSes. Clearly they are running on Linux which makes it even more difficult to take advantage of with the steamworks API.[/QUOTE] Even if they blocked the old steam API I don't see how that prevents the abusers to just update it to the newest API and use it??

[QUOTE=Wavie;52082495]So why aren't they just using your method [u]as well[/u] as blocking the old API?[/QUOTE] While the gmsindex whitelist isn't designed to exactly be a permanent solution since it would only be as effective as the incompetence of the exploiters, it would most likely require them to contact Valve which I doubt would go so well knowing Valve's track record. The same concept goes for blocking the old API and also for enabling the GLST keys (which I do not agree with), they would technically need to contact Valve for help assuming that Valve even cares enough. What they've been doing is attempting to stop it via regex server name checks and IP blacklists which is both ineffective as we can all see. You can say that they have been going the path of least resistance which is also ineffective. There could be many ways that they could implement checks via their steam workshop based client server blacklist but It wouldn't really be worth mentioning. They could always also just implement a Garry's Mod hotfix where they change some aspect of the game itself but I wouldn't hold my breath on that since this system is used by virtually every multiplayer-enabled game on Steam. [QUOTE=NootNootEh;52082539]Even if they blocked the old steam API I don't see how that prevents the abusers to just update it to the newest API and use it??[/QUOTE] The idea here is to make it as painful as possible on the exploiters [B][U]without inconveniencing everybody else[/U][/B]. The steamworks API is usually quite difficult for amateurs to hook into especially with the operating system being Linux. The system that they are likely using now (Old API) is as simple as literally sending a network packet with no checks. I'm honestly not suprised that somebody took advantage of it since it's been open for so long especially with the public documentation out there by Valve.

[QUOTE=ertug20;52082540]While the gmsindex whitelist isn't designed to exactly be a permanent solution since it would only be as effective as the incompetence of the exploiters, it would most likely require them to contact Valve which I doubt would go so well knowing Valve's track record. The same concept goes for blocking the old API and also for enabling the GLST keys (which I do not agree with), they would technically need to contact Valve for help assuming that Valve even cares enough. What they've been doing is attempting to stop it via regex server name checks and IP blacklists which is both ineffective as we can all see. You can say that they have been going the path of least resistance which is also ineffective. There could be many ways that they could implement checks via their steam workshop based client server blacklist but It wouldn't really be worth mentioning. They could always also just implement a Garry's Mod hotfix where they change some aspect of the game itself but I wouldn't hold my breath on that since this system is used by virtually every multiplayer-enabled game on Steam. The idea here is to make it as painful as possible on the exploiters [B][U]without inconveniencing everybody else[/U][/B]. The steamworks API is usually quite difficult for amateurs to hook into especially with the operating system being Linux. The system that they are likely using now (Old API) is as simple as literally sending a network packet with no checks. I'm honestly not suprised that somebody took advantage of it since it's been open for so long especially with the public documentation out there by Valve.[/QUOTE] So basically the only way to fix it for good is contacting Valve?

[QUOTE=Wavie;52082580]So basically the only way to fix it for good is contacting Valve?[/QUOTE] I doubt that there is ever going to be a fixing it for good solution. It's more of deterrence. Regardless of what is done, they can still in theory exploit it to do it again, it's more of how hard they want to try.

[QUOTE=ertug20;52082540]The steamworks API is usually quite difficult for amateurs to hook into especially with the operating system being Linux.[/QUOTE] This is one of the dumbest misinformations written on this forum in a long time

[QUOTE=MeepDarknessM;52082996]This is one of the dumbest misinformations written on this forum in a long time[/QUOTE] Clearly, you and I have a very different opinion on what an amateur is. We aren't talking about the people who make and sell said exploits.

[QUOTE=ertug20;52083002]Clearly, you and I have a very different opinion on what an amateur is. We aren't talking about the people who make and sell said exploits.[/QUOTE] Amateur to me is linking a library and calling a function.

[QUOTE=MeepDarknessM;52083035]Amateur to me is linking a library and calling a function.[/QUOTE] Are you implying that it's far easier to hook into the Steamworks API when compared to sending a single packet to Valve to get a "server" put on the master list?

[QUOTE=ertug20;52083044]Are you implying that it's far easier to hook into the Steamworks API when compared to sending a single packet to Valve to get a "server" put on the master list?[/QUOTE] Probably. Steamworks wraps everything you need to do into a single function.

[QUOTE=MeepDarknessM;52083055]Probably. Steamworks wraps everything you need to do into a single function.[/QUOTE] In that case, you and I clearly specialize in different fields. Sending a single packet can be done ridiculously easy and perhaps has thousands of guides in nearly all programming languages while hooking into the steam-works API has very little documentation even with the public implementations unless you are a steam-works developer. It just seems like common sense to me that a novice would rather look up a public wiki along with a simple packet send code in any programming language to achieve this because it may be more problematic for them to actually use C/C++ or C# (public implementation) and use the Steamworks API.

@MeepDarknessM on Discord you said you'd release a redirect program. Did you end up releasing it?

[QUOTE=FPtje;52083340]@MeepDarknessM on Discord you said you'd release a redirect program. Did you end up releasing it?[/QUOTE] No, but I might later since it's already going to get patched from this whole thing.

Is it just the legacy masterlist protocol that's the issue? I took a quick look into it and on the newer steamworks it's Valve that tracks the player count. Just simply "spoofing" the A2S_INFO packet won't make your player count increase on the masterlist (while it will work through the steam browser). Not tested, but I guess adding your server to the masterlist through the legacy protocol doesn't use all the newer authentication checks when a player joins etc. I guess it's something Valve need to fix, if that ever even happens. If that is the case, as ertug20 said somehow stopping the legacy protocol *should* fix it?

[QUOTE=Mrkrabz;52083495]Is it just the legacy masterlist protocol that's the issue? I took a quick look into it and on the newer steamworks it's Valve that tracks the player count. Just simply "spoofing" the A2S_INFO packet won't make your player count increase on the masterlist (while it will work through the steam browser). Not tested, but I guess adding your server to the masterlist through the legacy protocol doesn't use all the newer authentication checks when a player joins etc. I guess it's something Valve need to fix, if that ever even happens.[/QUOTE] I haven't personally looked into the old steam API too much and don't know if it supports tracking players for the player count. I assumed that they had some slower system to track players but I guess you never know since it is quite old. If they do indeed just do a very simple player count comparison between Valve and the A2S_INFO query (with the new API), it would solve the world's problems in regards to people faking the number of players on their server ( since Steam technically tracks every single player on Steam ). All I know is that when they decide to fix this, they should pick a solution that will least inconvenience everybody.

[IMG]http://i.imgur.com/KTYFECV.png[/IMG] Who's already manipulated the server list to screw with people? Is this a false flag op? 45.77.1.27:10088 45.77.1.27:10090 45.77.1.27:10099 All the fake servers are on the same damn ip. Just blacklist the range already plz.

I refreshed server list 5 minutes ago to see 8k people on DarkRP(top of the list). I refreshed it again and now there's 10.2k bots on the fake servers. This is rather fun watching the Steam Community forums freak out. I'm not a coding genius so actually don't know how this is all happening and working, but eh.

[QUOTE=Heavy Bob;52089444][IMG]http://i.imgur.com/KTYFECV.png[/IMG] Who's already manipulated the server list to screw with people? Is this a false flag op? 45.77.1.27:10088 45.77.1.27:10090 45.77.1.27:10099 All the fake servers are on the same damn ip. Just blacklist the range already plz.[/QUOTE] Why do you keep reporting the same damn thing, It's on the last page. Also blacklisting the range is the stupidest thing I've seen posted on this thread so far

That IP is assigned to Vultr who provide per-hour billing VPS's. If you blacklist that range they can just create an image of the vps, destroy the instance and bring up a new one from that image with a new IP in about 30s.

[QUOTE=Adzter;52090492]That IP is assigned to Vultr who provide per-hour billing VPS's. If you blacklist that range they can just create an image of the vps, destroy the instance and bring up a new one from that image with a new IP in about 30s.[/QUOTE] Could we not just file an abuse report to Vultr and have then refuse business to the customer?

[QUOTE=Redfiend;52091002]Could we not just file an abuse report to Vultr and have then refuse business to the customer?[/QUOTE] These VPS providers are a dime a dozen. If they get banned from one, they can always go to another.

[QUOTE=Redfiend;52091002]Could we not just file an abuse report to Vultr and have then refuse business to the customer?[/QUOTE] then they switch to a new vps provider

It'd still be more effective than blacklisting ip ranges