(RADIATOR) Designing for security

[Viraj Alankar]

On Sun, Jul 08, 2001 at 02:31:15AM +0800, Miguel A.L. Paraz wrote:
> On Sun, Jul 08, 2001 at 03:17:38AM +1000, Hugh Irvine wrote:
> > You should always have your main Radiator hosts behind a firewall of 
> > some sort, and you should also use packet filters to limit which 
> > hosts and/or NAS's are allowed to contact these internal hosts.
> 
> does anyone have experience with Radiator or other RADIUS daemons
> being hit by DoS attacks?  Even if you filter out your Radiator host,
> someone can spoof requests pretending to be from your NAS's.

We had something very similar happen to us. We are still looking into the
problem but basically it appears to be a misconfigured proxy radius server
sending us a ridiculous amount of access and accounting requests.

On average we see about 10 requests (account + auth) from this proxy server.
At various times during the day, we would see spurts of up to 170 requests per
second, all pretty much duplicates. During these times it would kill our
server and we started timing out to any requests, effectively causing a DoS.
When we removed IP from our clients file our server load would still be quite
high and create very large logs of 'unknown client' requests, but it was not
really DoS'ed. We ended up blocking the IP at the firewall.

Unfortunately this is actually a client of ours sending the requests, who has
no idea why their server would flood requests to us. We are still trying to
analyze the problem. So it was not malicious, or at least we don't think so
:).

I would think that if there was a distributed DoS, you could probably kill any
radius server, be it Radiator or not.  I don't think it's practical to block
these on the network level because like you said UDP packets can be spoofed.

Viraj.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.