[EXTERNAL] Re: Freeradius 3 DHCP server with SQL and 'anty dos' protection, how?
Winfield, Alister
Alister.Winfield at sky.uk
Wed Jun 26 10:01:48 CEST 2019
Perhaps another option is to give the client a bogus address say 127.0.0.2 (or an equivalent non-routed IPv6) on a shortish lease.
No network should route that anywhere and it gets rid of the bogus client for a while.
A.
On 25/06/2019, 16:59, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:
On Jun 25, 2019, at 11:11 AM, Kamil de Bardon <kamil at forweb.pl> wrote:
>
> Hello, I configure freeradius to be a unicast dhcp server for working with Cisco ASR.
That's good.
> This is working, but my concern is, if client's mac adres is not in the database, they dhcp client will send dhcp-discovery all the time, and one discovery = one sql query.
>
> Is there any way to prevent that? Some cache or so?
See the cache module:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FFreeRADIUS%2Ffreeradius-server%2Fblob%2Fv3.0.x%2Fraddb%2Fmods-available%2Fcache&data=02%7C01%7Calister.winfield%40sky.uk%7Ccfd00060d98441a042d408d6f9860edc%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636970751517661705&sdata=OcB9vF%2BpCOMrkFGPsA7LBUG5HB7SgYQbnClcjr0LdZ0%3D&reserved=0
It's not trivial to set up, but it works. Basically:
* set a cache back-end (rbtree is usually good enough)
* configure the "update" section in mods-available/cache to cache the MAC address
* enable the module in mods-enabled
In DHCP discover, when you're rejecting bad users, do:
# cache bad users
update control {
Cache-TTL = 3600 # cache for one hour
}
cache
update reply {
&DHCP-Message-Type = DHCP-Do-Not-Respond
}
reject
# bad users
Then *before* the SQL lookup, do:
# check the cache
update control {
Cache-Status-Only := yes
}
cache
if (ok) {
update reply {
&DHCP-Message-Type = DHCP-Do-Not-Respond
}
reject
}
# check the cache before SQL
That *should* work. I haven't tested it, but the basic idea is there.
Alan DeKok.
-
List info/subscribe/unsubscribe? See https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7Calister.winfield%40sky.uk%7Ccfd00060d98441a042d408d6f9860edc%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C636970751517661705&sdata=PetGvrxBpatMYgJLaiwOjPi1WMSx17asxCQ%2Ff2aKHGw%3D&reserved=0
--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing at sky.uk as attachments. Thank you
--------------------------------------------------------------------
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.
Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD
More information about the Freeradius-Users
mailing list