MSBlaster and Freeradius
We have been experiencing problems with the MSBlaster worm and Freeradius. The Freeradius daemon is running on a (homebrew) NAS that also terminates VPN sessions. If a VPN user is infected, it seems that the MSBlaster traffic prevents FreeRADIUS from operating correctly. The exact mode of failure is unclear, because FreeRADIUS does not generate any errors, but the result is that FreeRADIUS claims never to recieve any proxy RADIUS packets it has sent out (and thus it can't authenticate users). (ie. requests keep timing out). My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Has anyone else seen this, or have any suggestions? many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
This homebrew nas is the same box that is running your radius server? -Drew -Original Message- From: Josh Howlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: MSBlaster and Freeradius We have been experiencing problems with the MSBlaster worm and Freeradius. The Freeradius daemon is running on a (homebrew) NAS that also terminates VPN sessions. If a VPN user is infected, it seems that the MSBlaster traffic prevents FreeRADIUS from operating correctly. The exact mode of failure is unclear, because FreeRADIUS does not generate any errors, but the result is that FreeRADIUS claims never to recieve any proxy RADIUS packets it has sent out (and thus it can't authenticate users). (ie. requests keep timing out). My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Has anyone else seen this, or have any suggestions? many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
Yes, that's correct. josh. On Wed, 2004-01-07 at 16:41, Drew Weaver wrote: This homebrew nas is the same box that is running your radius server? -Drew -Original Message- From: Josh Howlett [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: MSBlaster and Freeradius We have been experiencing problems with the MSBlaster worm and Freeradius. The Freeradius daemon is running on a (homebrew) NAS that also terminates VPN sessions. If a VPN user is infected, it seems that the MSBlaster traffic prevents FreeRADIUS from operating correctly. The exact mode of failure is unclear, because FreeRADIUS does not generate any errors, but the result is that FreeRADIUS claims never to recieve any proxy RADIUS packets it has sent out (and thus it can't authenticate users). (ie. requests keep timing out). My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Has anyone else seen this, or have any suggestions? many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSBlaster and Freeradius
Josh Howlett [EMAIL PROTECTED] wrote: My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Yup. The kernel has a limited queue for incoming packets. Has anyone else seen this, or have any suggestions? Put a firewall rule in to block the UDP port used by MSBlaster. No one else uses it for anything, so that block won't be too problematic. I'm not sure if system supports this, but you may be able to rate-limit the port. e.g. 10 packets/s are OK, 100 packets/s result in them all getting dropped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSBlaster and Freeradius
I would also suggest moving freeradius to its own server that way when a new worm is released you wont have to keep changing your filters. -Drew -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: MSBlaster and Freeradius Josh Howlett [EMAIL PROTECTED] wrote: My best guess is that the MSBlaster UDP from the user(s) is swamping the kernel, resulting in RADIUS UDP packets getting lost. Yup. The kernel has a limited queue for incoming packets. Has anyone else seen this, or have any suggestions? Put a firewall rule in to block the UDP port used by MSBlaster. No one else uses it for anything, so that block won't be too problematic. I'm not sure if system supports this, but you may be able to rate-limit the port. e.g. 10 packets/s are OK, 100 packets/s result in them all getting dropped. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
