Freeradius 3 DHCP server with SQL and 'anty dos' protection, how?

[Alan DeKok]

On Jun 25, 2019, at 11:11 AM, Kamil de Bardon <kamil at forweb.pl> wrote:
> 
> Hello, I configure freeradius to be a unicast dhcp server for working with Cisco ASR.

  That's good.

> This is working, but my concern is, if client's mac adres is not in the database, they dhcp client will send dhcp-discovery all the time, and one discovery = one sql query.
> 
> Is there any way to prevent that? Some cache or so?

  See the cache module:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/cache

  It's not trivial to set up, but it works.  Basically:

* set a cache back-end (rbtree is usually good enough)
* configure the "update" section in mods-available/cache to cache the MAC address
* enable the module in mods-enabled

  In DHCP discover, when you're rejecting bad users, do:

# cache bad users
  update control {
      Cache-TTL = 3600  # cache for one hour
  }
  cache
  update reply {
           &DHCP-Message-Type = DHCP-Do-Not-Respond
  }

  reject
# bad users

  Then *before* the SQL lookup, do:

# check the cache
  update control {
	Cache-Status-Only  := yes
  }
  cache
  if (ok) {
	  update reply {
           &DHCP-Message-Type = DHCP-Do-Not-Respond
          }

          reject
     }
# check the cache before SQL

  That *should* work.  I haven't tested it, but the basic idea is there.

  Alan DeKok.