[RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE

Todor Genov todor.genov at mtnbusiness.co.za
Thu May 9 19:59:43 CDT 2013 

P.S a worse scenario unfolds when the downstream host is responding to Auth (and Status-Server), but not to Accounting. In this case Accounting is still being load-balanced to the downstream host, but all requests enter an infinite re-transmit loop until they are accepted.

With high volumes of Accounting traffic and prolonged outages on the downstream host this can turn into a resource exhaustion DoS.

--
todor

Excerpts from Todor Genov's message of Fri May 10 01:33:15 +0200 2013:
> Hi,
> 
> I have found an issue where the "Retries" clause is ignored when using UseStatusServerForFailureDetect with "AuthBy LOADBALANCE".
> In a scenario where a downstream proxy becomes unresponsive requests enter a re-transmit loop until the next Status-Server keepalive detects the host has failed and only then requests are ignored.
> 
> To replicate use the following config:
> 
> <Realm DEFAULT>
>     <AuthBy LOADBALANCE>
>         Retries 3
>     RetryTimeout 1
>         UseStatusServerForFailureDetect
>     KeealiveTimeout 300
>     NoreplyTimeout 1
>         <Host localhost>
>             AuthPort 1822
>             AcctPort 1823
>         </Host>
>     </AuthBy>
> </Realm>
> 
> A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout ) times instead of 3. Once the request is eventually ignored the following can be seen in the logs: 
> 
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to forward a (76) after 301 seconds. Ignoring
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 retransmissions to 127.0.0.1:1822 for a (227)
> 
> When using the same config with "AuthBy RADIUS" the behavior is as expected and the request is re-transmitted only three times then ignored:
> 
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to forward a (1) after 4 seconds. Ignoring
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1822 for a (129)
> 
> Thanks.
>

More information about the radiator mailing list