Upstream NAS flooding my radius

Nathan M locu.lists at gmail.com
Sat Dec 17 00:37:03 CET 2011 

On Fri, Dec 16, 2011 at 5:18 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
>  People generally upgrade their systems to deal with peak loads.
>
Thanks for the input.  As previously mentioned, it's not what I would
really consider a peak load issue, but more of a DOS from a
mis-configured or poorly managed NAS, which is entirely outside of our
control; however, we have to accept packets from it and have no
ability to resolve whatever their problem may be.

Rather than updating the systems to accommodate 6000 packets/second
from this one NAS when it sends a spew of authentication requests,
I'll share the solution I'm trying out in case anyone else winds up in
a similar predicament.  In all tests thus far, this shaves off the
wild peak load and distributes it over a short period of time as the
NAS I'm working with will retry frequently if the first attempt is
dropped.

iptables has a recent module which seems to fit the bill as it also
tracks source IP.  The limit module was also pretty close; however, it
limits all packets to a port ignoring the source IP.  The rules below
using the recent module, which on RHEL/CentOS system go into
/etc/sysconfig/iptables limit inbound auth packet rates to no more
than 60/second, and acct packets to 120/second from any given source
IP.  (ie.. if there are 2 separate sources of packets it would allow
60/s auth requests from each).  These same rules would protect against
other DOS based attacks to these ports as well I believe.

-A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent
--rcheck --seconds 1 --hitcount 60 --name RADAUTH --rsource -j LOG
-A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent
--rcheck --seconds 1 --hitcount 60 --name RADAUTH --rsource -j DROP
-A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent
--set --name RADAUTH --rsource
-A INPUT -m state --state NEW -m udp -p udp --dport 1645 -j ACCEPT
-A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent
--rcheck --seconds 1 --hitcount 120 --name RADACCT --rsource -j LOG
-A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent
--rcheck --seconds 1 --hitcount 120 --name RADACCT --rsource -j DROP
-A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent
--set --name RADACCT --rsource
-A INPUT -m state --state NEW -m udp -p udp --dport 1646 -j ACCEPT

- N

More information about the Freeradius-Users mailing list