Re: Denial of service attacks apparently from UUNET Netblocks

["Jay R. Ashworth" <jra () scfn thpl lib fl us>]

On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote:
> On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
> > I think I heard "John A. Tamplin" say:
> > > Why not just have the Radius server generate the filter itself based on the
> > > assigned IP address?
> >
> > Aside from having to reconfigure the router everytime somebody logs on
> > or off? Other than having to have the Radius server run a script which
> > logs into the router and enables (assuming that you are using a Cisco)?
> > Ignoring the problems that Cisco's can have with changing access-lists
> > (especially under high load)? (the list could continue)  Other than all
> > those reasons, it would work just fine. :)
> >
> > (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
> > service interruptions caused by changing access-lists to ignore the issue)
>
> Well, the original topic was about Ascend, and that is what we run here.  As
> part of the Radius response to the NAS, you can include arbitrary filters to
> apply to that specific connection.  Now, you do pay for that in terms of
> performance, but the Radius server can supply a specific filter for every
> connection.  Of course, none of the stock Radius servers support that but I
> am sure everyone has local hacks anyway.  For example, all of our 
> authentication information (and usage logs) are maintained in an Informix
> database.

To belabor the obvious, remember that not all dialups are hosts; what
you need to set as the filter on the source addresses is a _netmask_.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592