|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Denial of service attacks apparently from UUNET Netblocks
On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote: > On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote: > > I think I heard "John A. Tamplin" say: > > >Why not just have the Radius server generate the filter itself based on the > > >assigned IP address? > > > > Aside from having to reconfigure the router everytime somebody logs on > > or off? Other than having to have the Radius server run a script which > > logs into the router and enables (assuming that you are using a Cisco)? > > Ignoring the problems that Cisco's can have with changing access-lists > > (especially under high load)? (the list could continue) Other than all > > those reasons, it would work just fine. :) > > > > (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many > > service interruptions caused by changing access-lists to ignore the issue) > > Well, the original topic was about Ascend, and that is what we run here. As > part of the Radius response to the NAS, you can include arbitrary filters to > apply to that specific connection. Now, you do pay for that in terms of > performance, but the Radius server can supply a specific filter for every > connection. Of course, none of the stock Radius servers support that but I > am sure everyone has local hacks anyway. For example, all of our > authentication information (and usage logs) are maintained in an Informix > database. To belabor the obvious, remember that not all dialups are hosts; what you need to set as the filter on the source addresses is a _netmask_. Cheers, -- jra -- Jay R. Ashworth [email protected] Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
|