On Fri, Dec 16, 2011 at 5:18 AM, Alan DeKok <al...@deployingradius.com> wrote: > > People generally upgrade their systems to deal with peak loads. > Thanks for the input. As previously mentioned, it's not what I would really consider a peak load issue, but more of a DOS from a mis-configured or poorly managed NAS, which is entirely outside of our control; however, we have to accept packets from it and have no ability to resolve whatever their problem may be.
Rather than updating the systems to accommodate 6000 packets/second from this one NAS when it sends a spew of authentication requests, I'll share the solution I'm trying out in case anyone else winds up in a similar predicament. In all tests thus far, this shaves off the wild peak load and distributes it over a short period of time as the NAS I'm working with will retry frequently if the first attempt is dropped. iptables has a recent module which seems to fit the bill as it also tracks source IP. The limit module was also pretty close; however, it limits all packets to a port ignoring the source IP. The rules below using the recent module, which on RHEL/CentOS system go into /etc/sysconfig/iptables limit inbound auth packet rates to no more than 60/second, and acct packets to 120/second from any given source IP. (ie.. if there are 2 separate sources of packets it would allow 60/s auth requests from each). These same rules would protect against other DOS based attacks to these ports as well I believe. -A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 60 --name RADAUTH --rsource -j LOG -A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 60 --name RADAUTH --rsource -j DROP -A INPUT -p udp -m udp --dport 1645 -m state --state NEW -m recent --set --name RADAUTH --rsource -A INPUT -m state --state NEW -m udp -p udp --dport 1645 -j ACCEPT -A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 120 --name RADACCT --rsource -j LOG -A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 120 --name RADACCT --rsource -j DROP -A INPUT -p udp -m udp --dport 1646 -m state --state NEW -m recent --set --name RADACCT --rsource -A INPUT -m state --state NEW -m udp -p udp --dport 1646 -j ACCEPT - N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html