RE: [RadiusNT] ISDN HACK

Geo. ( (no email) )
Wed, 21 Jul 1999 11:36:06 -0400

Concurrency works fine, that's not the problem. The problem is when radius
gets overloaded with reject requests that the user is getting in. The other
problem is that someone with a single login account and an ISDN modem set to
dial for a dual connection can basically cause a DOS situation in that they
flood emerald with login requests.

Radius should be smart enough to see that if the user isn't connecting and
if radius has just refused the connection due to the login limit that it
doesn't need to go to the database to refuse another login request in quick
series like this. If a reject is sent for a call because of login limit,
then that call should not cause radius to retry again and again simply
because the user keeps retrying. It's easy to create a DOS attack using
that. It should only do a login limit check on a new call. There should also
be a limit on the number of times it will check a bad username or password
which can also be used to create a DOS attack.

Geo.

> -----Original Message-----
> From: radiusnt-request@iea-software.com
> [mailto:radiusnt-request@iea-software.com]On Behalf Of Terry Bomersbach
> Sent: Wednesday, July 21, 1999 11:10 AM
> To: radiusnt@iea-software.com
> Subject: Re: [RadiusNT] ISDN HACK
>
>
> >What happens is after 10-20 seconds of this, he manages to get logged in
> >with the second line.
> >
> >Now it seems to me this is a bug in Radius that's allowing this
> to happen.
> >What I need is some way to stop it or a fix. Anyone got any ideas?
>
> It's not a RADIUS BUG, it's the NAS that has the problem. RADIUS
> does check
> for concurrency but the NAS is treating both connections as one
> call. Talk
> to your vendor.
>
>
>
> For more information about this list (including removal) go to:
> http://www.iea-software.com/support/maillists/liststart
>

For more information about this list (including removal) go to:
http://www.iea-software.com/support/maillists/liststart