I *REALLY* doubt a single dialup user could do a DOS to RadiusNT, since
they have to go through a terminal server. In theory it sounds
possible,
but in reality, the likelihood of it is almost none.
> Radius should be smart enough to see that if the user isn't connecting and
> if radius has just refused the connection due to the login limit that it
> doesn't need to go to the database to refuse another login request in quick
> series like this. If a reject is sent for a call because of login limit,
> then that call should not cause radius to retry again and again simply
> because the user keeps retrying. It's easy to create a DOS attack using
> that. It should only do a login limit check on a new call. There should also
> be a limit on the number of times it will check a bad username or password
> which can also be used to create a DOS attack.
Have you ever TRIED this? You keep saying its easy, and it does sound
easy, but I would really need some hard evidence to believe it. I just
don't think its that easy in the real world. The new smart cache code
in RadiusNT 3 already addresses any possible concerns this might bring
up, anyways.
--Dale E. Reed Jr. Emerald and RadiusNT__________________________________________IEA Software, Inc. www.iea-software.com
For more information about this list (including removal) go to:http://www.iea-software.com/support/maillists/liststart