(RADIATOR) Redback is sending too many Access-Requests

Hugh Irvine hugh at open.com.au
Tue Jan 31 15:05:43 CST 2006


Hello Mishari -

You should note first of all that this hook code will not "ignore"  
the access requests - the hook is designed to "accept" all access  
requests over a certain number with a variable session timeout that  
will cause the resulting temporary session to drop after some random  
time. The idea being to spread the requests over a longer period of  
time. Also note that this is an idea only - I make no guarantees  
about the success or otherwise of using this code.

I am also not sure about maintaining per-user counters, as this will  
lead to greatly increased memory usage.

Can you tell me exactly what you are wanting to do?

regards

Hugh



On 31 Jan 2006, at 22:53, Mishari Al-Faris wrote:

> Dear Hugh,
>
> This is an example that you suggested a while back to mitigate  
> excessive requests coming from DSL NASes.
> I've been trying to modify it to our needs but have been getting  
> compilation errors. Let me just explain what I wish to do instead  
> of going through what I did wrong.
>
> I'd like to count the access trials per "user" not per "NAS". If a  
> certain username is seen trying more than say 1 request per 5  
> seconds, I want to ignore the request, and not go through my  
> AuthPLSQL AuthBy clause. Is this possible? thanks.
>
> # RequestHook for AuthBy INTERNAL
> # This hook counts the number of access requests that are received  
> for a
> # particular NAS, and returns an ACCEPT if there are more than 100  
> per second.
> # A Session-Timeout reply attribute is added to the reply with a  
> random
> # value between 1 and 1200 seconds(20 minutes).
> #
> # Note: these values should be altered as required.
> #
> # Hugh Irvine, Open System Consultants, 20050829
>
> sub
> {
> my $p = $_[0];
> my $time = time;
> my $code = $p->code;
> my $nas = $p->{Client};
> if ($time == $nas->{last_throttle_time} && $code eq 'Access- Request')
> {
> if (++$nas->{throttle_count} > 100)
> {
> $p->{rp}->add_attr('Session-Timeout', int (rand(1200) + 1));
> return ($main::ACCEPT, 'Conditional flood control');
> }
> }
> else
> {
> $nas->{throttle_count} = 0;
> }
> $nas->{last_throttle_time} = $time;
> return ($main::IGNORE, 'Continue to proxy');
> }
>
>
>
> Here is an example of how to use the hook.
>
>
> <Handler .....>
>
> AuthByPolicy ContinueWhileIgnore
>
> <AuthBy INTERNAL>
> RequestHook file:"throttle.pl"
> AddToReply .....
> </AuthBy>
> # normal AuthBy
> <AuthBy .....>
> .....
> </AuthBy>
> </Handler>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list