Need help

Valts Mazurs valts at
Tue Jan 16 15:35:52 CET 2007

On Mon, 15 Jan 2007 09:33:29 -0800
Frank Cusack <fcusack at> wrote:

> On January 15, 2007 4:24:52 PM +0200 Valts Mazurs <valts at> 
> wrote:
> > What I mean is that I would like to process all authorization requests
> > before accounting requests. That means if there are any auth requests
> > in queue, working thread takes the youngest auth request. The logic is
> > that it is more reasonable to give answer to the youngest auth request
> > and deliver the answer in time. Older auth requests might be already
> > unworthy and there is no point of processing them.
> That's a pretty bad method.  Under a dos attack, where dos traffic
> is substantially greater than good traffic, real auths will tend
> to get dropped in favor of processing attack auths.  It's better
> to process them in order, short-circuiting the hard work by testing the
> age of the request before going on to do any work, including sending
> a response at all.  You could even set up a new queue every second
> and simply drop all requests older than 3s without even looking at
> the timestamps on them.  (Although you'd probably want to use 12s
> as the cutoff, to allow for retransmission.  That way the age of
> the packet is established from the first transmission.)

In my implementation requests from unauthorized clients (as in
FreeRADIUS - whose IP address is not found in clients.conf) are not put
into the queue at all. I decided to ignore them completely. It seems
safer for DOS attackers. But anyway... if there are 1'000'000 zombed
windows pc's attacking the site, nothing can be done in RADIUS server
software to prevent it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <>

More information about the Freeradius-Devel mailing list