Re: Denial of service attacks apparently from UUNET Netblocks

From: Jay R. Ashworth (no email)
Date: Wed Oct 08 1997 - 23:08:50 EDT


On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote:
> On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
> > I think I heard "John A. Tamplin" say:
> > >Why not just have the Radius server generate the filter itself based on the
> > >assigned IP address?
> >
> > Aside from having to reconfigure the router everytime somebody logs on
> > or off? Other than having to have the Radius server run a script which
> > logs into the router and enables (assuming that you are using a Cisco)?
> > Ignoring the problems that Cisco's can have with changing access-lists
> > (especially under high load)? (the list could continue) Other than all
> > those reasons, it would work just fine. :)
> >
> > (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
> > service interruptions caused by changing access-lists to ignore the issue)
>
> Well, the original topic was about Ascend, and that is what we run here. As
> part of the Radius response to the NAS, you can include arbitrary filters to
> apply to that specific connection. Now, you do pay for that in terms of
> performance, but the Radius server can supply a specific filter for every
> connection. Of course, none of the stock Radius servers support that but I
> am sure everyone has local hacks anyway. For example, all of our
> authentication information (and usage logs) are maintained in an Informix
> database.

To belabor the obvious, remember that not all dialups are hosts; what
you need to set as the filter on the source addresses is a _netmask_.

Cheers,
-- jra

-- 
Jay R. Ashworth                                                
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD