Denial of service attacks apparently from UUNET Netblocks

I think I heard "John A. Tamplin" say:

Why not just have the Radius server generate the filter itself based on the
assigned IP address?

Aside from having to reconfigure the router everytime somebody logs on
or off? Other than having to have the Radius server run a script which
logs into the router and enables (assuming that you are using a Cisco)?
Ignoring the problems that Cisco's can have with changing access-lists
(especially under high load)? (the list could continue) Other than all
those reasons, it would work just fine. :slight_smile:

(okay - maybe I'm Cisco bashing and flaming, but I've seen far too many
service interruptions caused by changing access-lists to ignore the issue)

Well, the original topic was about Ascend, and that is what we run here. As
part of the Radius response to the NAS, you can include arbitrary filters to
apply to that specific connection. Now, you do pay for that in terms of
performance, but the Radius server can supply a specific filter for every
connection. Of course, none of the stock Radius servers support that but I
am sure everyone has local hacks anyway. For example, all of our
authentication information (and usage logs) are maintained in an Informix
database.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

To belabor the obvious, remember that not all dialups are hosts; what
you need to set as the filter on the source addresses is a _netmask_.

Cheers,
-- jra

And for those, you aren't dynamically assigning the addresses so it is
easy to build a filter for them.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

Usually. I could see a circumstance where a small LAN was using an
ISDN dial on demand link... You're not dynamically assigning the
address... but you _are_ dynamically assigning it to a port.

Cheers,
-- jra