Re: [RadiusNT] ISDN HACK

Dale E. Reed Jr. ( (no email) )
Wed, 21 Jul 1999 10:57:04 -0700

"Geo." wrote:
> Concurrency works fine, that's not the problem. The problem is when radius
> gets overloaded with reject requests that the user is getting in. The other
> problem is that someone with a single login account and an ISDN modem set to
> dial for a dual connection can basically cause a DOS situation in that they
> flood emerald with login requests.

I *REALLY* doubt a single dialup user could do a DOS to RadiusNT, since
they have to go through a terminal server. In theory it sounds
but in reality, the likelihood of it is almost none.

> Radius should be smart enough to see that if the user isn't connecting and
> if radius has just refused the connection due to the login limit that it
> doesn't need to go to the database to refuse another login request in quick
> series like this. If a reject is sent for a call because of login limit,
> then that call should not cause radius to retry again and again simply
> because the user keeps retrying. It's easy to create a DOS attack using
> that. It should only do a login limit check on a new call. There should also
> be a limit on the number of times it will check a bad username or password
> which can also be used to create a DOS attack.

Have you ever TRIED this? You keep saying its easy, and it does sound
easy, but I would really need some hard evidence to believe it. I just
don't think its that easy in the real world. The new smart cache code
in RadiusNT 3 already addresses any possible concerns this might bring
up, anyways.


Dale E. Reed Jr. Emerald and RadiusNT__________________________________________IEA Software, Inc.

For more information about this list (including removal) go to: