Compare transport connections to ensure no extras with same IP but different port.

[Jdance-Media]

As brought up in the past, some attacks against servers can involve the usage of the same IP but multiple ports. From what I'm aware, there is a proper comparison for Steam ID, but it would be nice to have an extra layer of security that involves already logged/in use connections being compared against new ones to check for same IP but different port. You could possibly allow for only like 3 connections to use the same IP if this measure causes too many problems.

I wasn't totally sure if this was implemented already, but it doesn't seem like it. If I'm wrong about this, apologies.

[SDGNelson]

You're right that the server won't allow two simultaneous players associated with the same Steam ID.

Are you running into an attack like this at the moment? (Many simultaneous queued and/or logged-in players with the same IPv4 address?)

We could add a setting like "max simultaneous connections per IP." Servers using Fake IP or servers with many players in regions using CG-NAT would likely need to disable or significantly raise it, however. Are you using Fake IP?

[Jdance-Media]

The server I was working on that was affected by attacks utilizing multiple ports has not been active for a month or so, so Fake IP has yet to be implemented.

I believe that preventing simultaneous connections, or at least an amount of them, would be a good countermeasure for servers that do not wish to enable Fake IP, etc. Fake IP has significant downsides, including that one issue that needs be addressed by Valve and the fact that servers cannot moderate using IPs.

I have a suspicion that additional damage can be dealt using simultaneous connections. For instance, I still noticed an influx in unmanageable outbound traffic. So having all bases covered is the goal.

[SDGNelson]

If I understand correctly, you're saying that was with the previous exploit (fixed)? If that's the case, I don't think we need to be super concerned about multiple ports at the moment because:

Assuming the default transport (Steam Networking Sockets) is used, each connection must be from an authenticated Steam account—even with Fake IP enabled. I.e., SNS ensures the connection is from a logged-in Steam account before the game starts processing any network messages.

That said, I do agree it's a reasonable precaution and would be especially necessary for regular socket connections.

[SDGNelson]

This is implemented for the 3.25.5.0 update! The relevant options are:

/// <summary>
/// Only applicable when Fake IP is off. When a client is connecting, if their connection would push the number
/// of simultaneous connections from the same IP address past this number, they are prevented from joining.
///
/// May be useful to prevent against fake join requests coming from a single source IP. (public issue #5001)
/// 
/// Defaults to a high value because some regions will have many more clients with the same IPv4 address than
/// others. For example, due to Carrier-grade NAT (CGNAT).
/// </summary>
public int Max_Clients_With_Same_IP_Address = 64;

/// <summary>
/// Whether rejections for Max_Clients_With_Same_IP_Address should log to command output. Useful for checking
/// if the limit is appropriate.
/// </summary>
public bool Max_Clients_With_Same_IP_Address_Log_Warnings = true;