Denial of service attacks apparently from UUNET Netblocks

John A. Tamplin jat at
Thu Oct 9 01:44:00 UTC 1997

On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:

> I think I heard "John A. Tamplin" say:
> >Why not just have the Radius server generate the filter itself based on the
> >assigned IP address?
> Aside from having to reconfigure the router everytime somebody logs on
> or off? Other than having to have the Radius server run a script which
> logs into the router and enables (assuming that you are using a Cisco)?
> Ignoring the problems that Cisco's can have with changing access-lists
> (especially under high load)? (the list could continue)  Other than all
> those reasons, it would work just fine. :)
> (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
> service interruptions caused by changing access-lists to ignore the issue)

Well, the original topic was about Ascend, and that is what we run here.  As
part of the Radius response to the NAS, you can include arbitrary filters to
apply to that specific connection.  Now, you do pay for that in terms of
performance, but the Radius server can supply a specific filter for every
connection.  Of course, none of the stock Radius servers support that but I
am sure everyone has local hacks anyway.  For example, all of our 
authentication information (and usage logs) are maintained in an Informix

John Tamplin					Traveller Information Services
jat at Traveller.COM				2104 West Ferry Way
205/883-4233x7007				Huntsville, AL 35801

More information about the NANOG mailing list