Proxying creates 200 Attributes resulting in DoS warning
Alan DeKok
aland at deployingradius.com
Wed Jul 28 17:04:09 CEST 2010
Marius Pesé wrote:
> After spending some more time on our FreeRadius2 project it managed once again to leave me clueless. The error message:
>
> WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in request (received 201, max 200 are allowed).
See the "security" section of radiusd.conf.
> Googleing showed that it most likely is the result of a mis-configuration in proxy.conf.
You are very likely proxying packets FROM the server TO itself, in an
infinite loop. Stop that.
> This is our proxy.conf without comments:
Have you tried running the server in debugging mode? Do you see it
proxying packets to itself in an endless loop? Does the debug log show
WHY the packets were proxied?
If the packets really do have more than 200 real attributes, edit
radiusd.conf to allow this.
If the packets have dozens of "Proxy-State" attributes, you've
misconfigured the server and broken it.
Configure to proxy packets to *other* RADIUS servers, not to itself.
Alan DeKok.
More information about the Freeradius-Users
mailing list