Pre-release of Version 2.1.8
Alan DeKok
aland at deployingradius.com
Wed Dec 9 07:50:05 CET 2009
Josip Rodin wrote:
> Which reminds me - the other day I had a situation where a NAS was rebooted
> and ~300 users immediately tried to reconnect and authenticated over a
> FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
> two home_servers set up as fail-over, but neither of them with status_check.
>
> Sadly, this started failing horribly - it seemed to overload the primary
> home_server, entering a peculiar pattern - condensed for readability and
> some private info obfuscation:
Then the home servers are *extremely* slow. Sending 300 packets over
the course of a second or two wouldn't overload a 486.
> 1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 87
Look at the messages *before* that one. The proxy:
a) proxies packet 1
b) gives up on it after a time
c) proxies a new packet 2
d) receives a reply for packet 1
e) logs this message as "Huh?"
> So I tried the poor man's solution - I shuffled them manually, restarted
> FreeRADIUS, and then it started authenticating them, before it seemingly
> DoSed that one and entered a very similar pattern of brokenness.
300 packets is a DoS for a RADIUS server? Wow... that's a *bad* server.
> Can any conclusions be drawn from this? I send over the detailed logs if
> necessary.
The home servers are pathetic.
Also, the proxy && fail-over algorithms in 2.1.x are much better than
2.0.4.
Alan DeKok.
More information about the Freeradius-Users
mailing list