(RADIATOR) Tarpitting agressive users

Tue Sep 28 10:57:47 CDT 2004

Hello Robert -

There is nothing of this sort available in Radiator. You may be able to 
write a hook, but really once the requests get to Radiator it is too 
late.

The more appropriate fix is to either implement rate limiting of radius 
requests in the NAS device itself (Cisco now implements this), or 
alternatively use dynamic filtering on your network equipment to 
blackhole the offending requests.

There are some example hooks in the file "goodies/hooks.txt".

regards

Hugh

On 28 Sep 2004, at 17:37, Robert Blayzor wrote:

> I know we bought this up in the past, but I'm not really sure we ever 
> discussed an "end all" solution for this problem.
>
> The problem we see from time to time is a "run away" PPPoE client just 
> loses it's mind and consantly auths, disconnects, auths, disconnects, 
> ... every second or two.
>
> I just found a user or two that have been doing this for weeks and 
> it's polluting our RADIUS accounting SQL logs with MILLIONS of rows 
> just from this one user.
>
> I'm wondering if Radiator can be modified or configured to tarpit 
> these types of run away clients.  I'm looking for something I can set 
> a threshhold within a certain period of time and then set a "lock out 
> period".  ie:
>
> If a user logs in more than 100 times within an hour, fail auth for 
> two hours.  Ideally it would be nice to log (only once) that the user 
> has been tarpitted and then log send anything to the auth log until 
> the period expires.
>
> I know this is probably not that easy to do and I'm not looking for 
> something that will create more SQL transactioins.  I'm willing to 
> consume more RAM (which is available) over doing a SQL table to keep 
> track of this.
>
> Are there any good examples to maybe write a PreHandler hook that can 
> use a persistant hash of arrays where I could store the user at realm in 
> the hash with the number of logins, etc.  I'd need to have this hash 
> survive each time the sub is exited.  Something tells me this would 
> require a Radiator modification.  Am I wrong?
>
> TIA
>
> -Robert
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: I am travelling this week, so there may be delays in our 
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.