[12826] in North American Network Operators' Group
Re: Denial of service attacks apparently from UUNET Netblocks
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Wed Oct 8 23:23:10 1997
Date: Wed, 8 Oct 1997 23:08:50 -0400
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: "John A. Tamplin" <jat@traveller.com>
Cc: "Matthew V. J. Whalen" <mwhalen@uucom.com>, nanog@merit.edu
In-Reply-To: <Pine.A32.3.91.971008204156.27882N-100000@cyclone.traveller.com>; from "John A. Tamplin" <jat@traveller.com> on Wed, Oct 08, 1997 at 08:44:00PM -0500
On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote:
> On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
> > I think I heard "John A. Tamplin" say:
> > >Why not just have the Radius server generate the filter itself based on the
> > >assigned IP address?
> >
> > Aside from having to reconfigure the router everytime somebody logs on
> > or off? Other than having to have the Radius server run a script which
> > logs into the router and enables (assuming that you are using a Cisco)?
> > Ignoring the problems that Cisco's can have with changing access-lists
> > (especially under high load)? (the list could continue) Other than all
> > those reasons, it would work just fine. :)
> >
> > (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
> > service interruptions caused by changing access-lists to ignore the issue)
>
> Well, the original topic was about Ascend, and that is what we run here. As
> part of the Radius response to the NAS, you can include arbitrary filters to
> apply to that specific connection. Now, you do pay for that in terms of
> performance, but the Radius server can supply a specific filter for every
> connection. Of course, none of the stock Radius servers support that but I
> am sure everyone has local hacks anyway. For example, all of our
> authentication information (and usage logs) are maintained in an Informix
> database.
To belabor the obvious, remember that not all dialups are hosts; what
you need to set as the filter on the source addresses is a _netmask_.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "People propose, science studies, technology
Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
