Kostas Kalevras wrote:

> Hmm that would mean stil having to add client entris in the 
> clients.conf. We 'd like to avoid that when using sql.

  Yes.  The reason is DoS attacks.

  My idea was to limit the number of IP's looked up in SQL by network.
So if a particular network is getting lots of "new" clients, it may be a
DoS attack, and the server can just start dropping the requests.

  In other words, it's OK for known clients to cause the server to do
lots of SQL lookups.  It's not OK for random people on the net to cause
the server to do lots of SQL lookups.

  If there's a way to restrict the lookups to avoid DoS attacks, I'm all
for it.  Maybe something like doing lookups of new clients only once a
second.  That should rate-limit DoS attacks to something manageable, and
still allow new clients to be discovered quickly.

  So adding 30 new clients would require at minimum 30s of time, but I
that shouldn't be much of a problem...

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to