On January 15, 2007 4:24:52 PM +0200 Valts Mazurs <valts@bsdradius.org> wrote:
What I mean is that I would like to process all authorization requests before accounting requests. That means if there are any auth requests in queue, working thread takes the youngest auth request. The logic is that it is more reasonable to give answer to the youngest auth request and deliver the answer in time. Older auth requests might be already unworthy and there is no point of processing them.
That's a pretty bad method. Under a dos attack, where dos traffic is substantially greater than good traffic, real auths will tend to get dropped in favor of processing attack auths. It's better to process them in order, short-circuiting the hard work by testing the age of the request before going on to do any work, including sending a response at all. You could even set up a new queue every second and simply drop all requests older than 3s without even looking at the timestamps on them. (Although you'd probably want to use 12s as the cutoff, to allow for retransmission. That way the age of the packet is established from the first transmission.) FreeRADIUS essentially does this. -frank