(RADIATOR) Tarpitting auth requests from naughty users..

h.zuidema at kpn.com h.zuidema at kpn.com
Fri May 9 05:56:41 CDT 2003 

Hello Robert,

In our large DSL network we don't have just one customer that's doing this,
we have many. It's a general DSL problem. We developed a process that
periodically scans the (compact) authentication logfile. If there are too
many failed logins for a certain customer this process tells the NAS to
remove the VC of this customer and restores it after one hour.
As an alternative you could think of a "CacheRejects" parameter in Radiator
(similar to CachePasswords). This could at least lower the load on database
checking due to these never ending failed logins.

Met vriendelijke groet,
Hylke Zuidema
Developmentmanager
KPN The Netherlands


-----Oorspronkelijk bericht-----
Van: Robert Blayzor [mailto:noc at inoc.net]
Verzonden: donderdag 8 mei 2003 14:59
Aan: radiator at open.com.au
Onderwerp: (RADIATOR) Tarpitting auth requests from naughty users..


We have a braindead customer somewhere that has a DSL modem or PPPoE
client that's making a bad auth request (failed login) every 10 seconds.
It's been going on for weeks.  It's bloating up our failed login table
and bloating up log files.  While I know the obveious solution is to
apply LART and disconnect the user, that always isn't the best answer
when management jumps down your throat about it.  Long story.

Anyway, can Radiator tarpit or ignore bad requests for the same login
attempt (username, password and client pair) for a certain period of
time if the same auth fails X number of times within a specific period.

Ie:  If a client sends the same bad auth request 10 times within a two
minute period, ignore the requests for 60 minutes.  

Thanks in advance.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net

BOFH excuse #245: The Borg tried to assimilate your system, resistance
is futile 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list