Proxying creates 200 Attributes resulting in DoS warning

Marius Pesé Marius at mindspring.co.za
Thu Jul 29 16:48:04 CEST 2010


Hi Alan,

Managed to get that one right, but now its stripping off the realm despite me having set nostrip, and the second server then complains about not knowing the user. Where else can a realm get stripped except for proxy.conf and sites-enabled/default?

-----Original Message-----
From: freeradius-users-bounces+marius=mindspring.co.za at lists.freeradius.org [mailto:freeradius-users-bounces+marius=mindspring.co.za at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, July 28, 2010 5:04 PM
To: FreeRadius users mailing list
Subject: Re: Proxying creates 200 Attributes resulting in DoS warning

Marius Pesé wrote:
> After spending some more time on our FreeRadius2 project it managed once again to leave me clueless. The error message:
> 
> WARNING: Possible DoS attack from host 196.25.xxx.xx: Too many attributes in request (received 201, max 200 are allowed).

  See the "security" section of radiusd.conf.

> Googleing showed that it most likely is the result of a mis-configuration in proxy.conf.

  You are very likely proxying packets FROM the server TO itself, in an
infinite loop.  Stop that.

> This is our proxy.conf without comments:

  Have you tried running the server in debugging mode?  Do you see it
proxying packets to itself in an endless loop?  Does the debug log show
WHY the packets were proxied?

  If the packets really do have more than 200 real attributes, edit
radiusd.conf to allow this.

  If the packets have dozens of "Proxy-State" attributes, you've
misconfigured the server and broken it.

  Configure to proxy packets to *other* RADIUS servers, not to itself.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list