Need help

Frank Cusack fcusack at fcusack.com
Mon Jan 15 18:33:29 CET 2007


On January 15, 2007 4:24:52 PM +0200 Valts Mazurs <valts at bsdradius.org> 
wrote:
> What I mean is that I would like to process all authorization requests
> before accounting requests. That means if there are any auth requests
> in queue, working thread takes the youngest auth request. The logic is
> that it is more reasonable to give answer to the youngest auth request
> and deliver the answer in time. Older auth requests might be already
> unworthy and there is no point of processing them.

That's a pretty bad method.  Under a dos attack, where dos traffic
is substantially greater than good traffic, real auths will tend
to get dropped in favor of processing attack auths.  It's better
to process them in order, short-circuiting the hard work by testing the
age of the request before going on to do any work, including sending
a response at all.  You could even set up a new queue every second
and simply drop all requests older than 3s without even looking at
the timestamps on them.  (Although you'd probably want to use 12s
as the cutoff, to allow for retransmission.  That way the age of
the packet is established from the first transmission.)

FreeRADIUS essentially does this.

-frank



More information about the Freeradius-Devel mailing list