FW: (RADIATOR) Tarpitting agressive users

António Fernandes afernandes at egp.up.pt
Tue Sep 28 11:58:44 CDT 2004


Hi,

I had that exact problem two weeks ago... Some bad wireless cards kept auth
over and over increasing the load on the radius server.

Hugh, do you know how can I implement that with Cisco AP1100 or AP1200?

Thanks,

António Fernandes
EGP - Escola de Gestao do Porto / Porto Management School Universidade do
Porto / University of Porto



-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: terça-feira, 28 de Setembro de 2004 16:58
To: Robert Blayzor
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Tarpitting agressive users


Hello Robert -

There is nothing of this sort available in Radiator. You may be able to
write a hook, but really once the requests get to Radiator it is too late.

The more appropriate fix is to either implement rate limiting of radius
requests in the NAS device itself (Cisco now implements this), or
alternatively use dynamic filtering on your network equipment to blackhole
the offending requests.

There are some example hooks in the file "goodies/hooks.txt".

regards

Hugh


On 28 Sep 2004, at 17:37, Robert Blayzor wrote:

> I know we bought this up in the past, but I'm not really sure we ever 
> discussed an "end all" solution for this problem.
>
> The problem we see from time to time is a "run away" PPPoE client just 
> loses it's mind and consantly auths, disconnects, auths, disconnects, 
> ... every second or two.
>
> I just found a user or two that have been doing this for weeks and 
> it's polluting our RADIUS accounting SQL logs with MILLIONS of rows 
> just from this one user.
>
> I'm wondering if Radiator can be modified or configured to tarpit 
> these types of run away clients.  I'm looking for something I can set 
> a threshhold within a certain period of time and then set a "lock out 
> period".  ie:
>
> If a user logs in more than 100 times within an hour, fail auth for 
> two hours.  Ideally it would be nice to log (only once) that the user 
> has been tarpitted and then log send anything to the auth log until 
> the period expires.
>
> I know this is probably not that easy to do and I'm not looking for 
> something that will create more SQL transactioins.  I'm willing to 
> consume more RAM (which is available) over doing a SQL table to keep 
> track of this.
>
> Are there any good examples to maybe write a PreHandler hook that can 
> use a persistant hash of arrays where I could store the user at realm in 
> the hash with the number of logins, etc.  I'd need to have this hash 
> survive each time the sub is exited.  Something tells me this would 
> require a Radiator modification.  Am I wrong?
>
> TIA
>
> -Robert
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email 
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the 
> message.
>
>

NB: I am travelling this week, so there may be delays in our correspondence.

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au To unsubscribe, email
'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list