|
| 1 | +# -*- text -*- |
| 2 | +# |
| 3 | +# $Id$ |
| 4 | + |
| 5 | +# |
| 6 | +# This module performs rate limiting on proxied packets. |
| 7 | +# |
| 8 | +# In some cases, a home server does not delay Access-Reject packets. |
| 9 | +# Badly behaved end-user devices may then try to authenticate many |
| 10 | +# hundreds of times a second. This behavior is effectively a denial |
| 11 | +# of service (DoS) attack on the RADIUS infastructure. |
| 12 | +# |
| 13 | +# This module tracks Access-Reject packets based on a key. If the |
| 14 | +# device is trying to authenticate too many times in quick |
| 15 | +# succession, the module will return a reject rather than proxying |
| 16 | +# the packet. These Access-Requests will not be proxied for a |
| 17 | +# configurable period of time, which is the "suppression period". |
| 18 | +# |
| 19 | +# Access-Reject responses from home servers for proxied requests are |
| 20 | +# store in a local tracking structure, keyed by username + supplicant |
| 21 | +# MAC. IDs are tracked to identify retransmission of the most recent |
| 22 | +# request. There should be few issues with lock contention, as the |
| 23 | +# tracking structure is designed carefully to avoid locks, or use |
| 24 | +# multiple distinct locks. |
| 25 | +# |
| 26 | +# Prior to proxying a request (in the pre-proxy section), the |
| 27 | +# tracking structure is queried. If an activate entry exists for the |
| 28 | +# device, then an Access-Reject will be sent and proxying will be |
| 29 | +# cancelled. Multiple requests arriving within the same second from a |
| 30 | +# device will cause the suppression period to the extended. |
| 31 | +# |
| 32 | +# When a request is proxied, if the reponse from the home server (in |
| 33 | +# the post-proxy section) is Access-Reject, then the device will be |
| 34 | +# added to the corresponding tracking table. If the device does not |
| 35 | +# quickly re-authenticate, then the tracking tavble entry is |
| 36 | +# discarded. |
| 37 | +# |
| 38 | +# However, if multiple requests arrive for the same device within the |
| 39 | +# same second, the module start rate-limiting requests as described |
| 40 | +# above. |
| 41 | +# |
| 42 | + |
| 43 | +# |
| 44 | +# Update the "pre-proxy" section to list the "proxy_rate_limit" module: |
| 45 | +# |
| 46 | +# pre-proxy { |
| 47 | +# ... |
| 48 | +# proxy_rate_limit |
| 49 | +# ... |
| 50 | +# } |
| 51 | +# |
| 52 | +# And update the "post-proxy" section to list the "proxy_rate_limit" module: |
| 53 | +# |
| 54 | +# post-proxy { |
| 55 | +# ... |
| 56 | +# proxy_rate_limit |
| 57 | +# ... |
| 58 | +# } |
| 59 | +# |
| 60 | + |
| 61 | +# |
| 62 | +# The module configuration. |
| 63 | +# |
| 64 | +proxy_rate_limit { |
| 65 | + # |
| 66 | + # The key used to track entries. |
| 67 | + # |
| 68 | + # For now, the key is not configurable, and is hard-coded to be the expansion below. |
| 69 | + # |
| 70 | +# key = "%{User-Name}%{Calling-Station-Id} |
| 71 | + |
| 72 | + # |
| 73 | + # This limits the maximum number of entries which are |
| 74 | + # tracked. If the table becomes full, then older entries |
| 75 | + # will be evicted to make room for new entries. |
| 76 | + # |
| 77 | + max_entries = 2048 |
| 78 | + |
| 79 | + # |
| 80 | + # The idle timeout period, or lifetime of entries. If we do |
| 81 | + # not see packets for a device within this time limit, then |
| 82 | + # the entry is expired. |
| 83 | + # |
| 84 | + idle_timeout = 10 |
| 85 | +} |
0 commit comments