Upstream NAS flooding my radius

Nathan M locu.lists at gmail.com
Thu Dec 15 19:02:13 CET 2011


I appreciate the replies and suggestions to upgrade the SQL
infrastructure.  What I'm attempting to do is to basically limit a
friendly DOS attack.  I think throttling the offender is a better
approach than adding more hardware in this case.  Maybe inside
freeradius isn't the answer, and maybe a firewall rule would be better
suited for the task.  Although this seems like it would be a common
issue, especially with lots of new wirless ISPs which have their
radios rebooted (thereby causing re-auth of all connected customers
upon reboot) far more frequently than traditional wireline ISPs.

@Fajar - the intent in having them dropped is exactly that.  I don't
want the end-user trying to authenticate to fail authentication, I do
want the NAS to retry.  I just want to control how quickly it can
retry from my end.

If anyone else has experience solving the source of the problem,
ideally at the proxy process level, I'm definitely open to suggestions
and experience.

Thanks,

- N

On Thu, Dec 15, 2011 at 12:58 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> Hi,
>
>> Error: rlm_sql (sql): There are no DB handles to use!
>
> improve your SQL performance - eg use InnoDB instead of myISAM , or postgresQL
> instead of MySQL
>
> increase number of PERL and SQL instances
>
> use another 'non-inline' method to handle the accounting - so its buffered
> and put into DB when daemon is free - eg  use the 'buffered_sql' virtual server
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list