Denial of service attacks apparently from UUNET Netblocks
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Thu Oct 9 03:08:50 UTC 1997
On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote:
> On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
> > I think I heard "John A. Tamplin" say:
> > >Why not just have the Radius server generate the filter itself based on the
> > >assigned IP address?
> >
> > Aside from having to reconfigure the router everytime somebody logs on
> > or off? Other than having to have the Radius server run a script which
> > logs into the router and enables (assuming that you are using a Cisco)?
> > Ignoring the problems that Cisco's can have with changing access-lists
> > (especially under high load)? (the list could continue) Other than all
> > those reasons, it would work just fine. :)
> >
> > (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
> > service interruptions caused by changing access-lists to ignore the issue)
>
> Well, the original topic was about Ascend, and that is what we run here. As
> part of the Radius response to the NAS, you can include arbitrary filters to
> apply to that specific connection. Now, you do pay for that in terms of
> performance, but the Radius server can supply a specific filter for every
> connection. Of course, none of the stock Radius servers support that but I
> am sure everyone has local hacks anyway. For example, all of our
> authentication information (and usage logs) are maintained in an Informix
> database.
To belabor the obvious, remember that not all dialups are hosts; what
you need to set as the filter on the source addresses is a _netmask_.
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "People propose, science studies, technology
Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
More information about the NANOG
mailing list