IETF Logo Mail Archive

Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery

Alan DeKok <aland@deployingradius.com> Thu, 25 July 2013 01:04 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0719E21F9A2E for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 18:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G+9g8bDjQLdL for <radext@ietfa.amsl.com>; Wed, 24 Jul 2013 18:04:16 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0AE5221F9A2A for <radext@ietf.org>; Wed, 24 Jul 2013 18:04:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 765E522400C8; Thu, 25 Jul 2013 03:04:15 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YK4mSeGbpkjY; Thu, 25 Jul 2013 03:04:15 +0200 (CEST)
Received: from Thor-2.local (unknown [67.71.147.228]) by power.freeradius.org (Postfix) with ESMTPSA id E21E92240072; Thu, 25 Jul 2013 03:04:14 +0200 (CEST)
Message-ID: <51F0798F.4@deployingradius.com>
Date: Wed, 24 Jul 2013 21:04:15 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
References: <88ACDECA21EE5B438CA26316163BC14C25D334A9@BASS.ad.clarku.edu> <51DD5683.3070202@restena.lu> <51DE5730.4080008@deployingradius.com> <51E545A6.6040008@restena.lu> <51E54C2E.80002@deployingradius.com> <51EFEB39.4060102@restena.lu>
In-Reply-To: <51EFEB39.4060102@restena.lu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: radext@ietf.org
Subject: Re: [radext] Fwd: RE: Fwd: RE: Fwd: RE: Mail reguarding draft-ietf-radext-dynamic-discovery
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 01:04:22 -0000

Stefan Winter wrote:
> It also just occured to me that your attack is too complex to be useful
> for an attacker; it would require actual humans lured into trying to log
> into realmA in masses, so that their login attempts overload proxy B. It
> would require hundreds or thousands of humans trying to log in per
> second so that proxy B feels the load.

  I suppose there are no companies with 10M customers, and imperfect
administrators?

> If realmA really wants to DoS proxy B, they would take note of proxy B's
> IP address and port, and hire a cheap botnet. The botnet would simply
> not care whether there is a reverse IP to check.

  I'm not trying to make perfect security.  I'm trying to make it
cheaper to catch mistakes.

> In short... once your server is up in the open, it can be contacted by
> anyone, like it or not. An implementation needs to cope with that.

  Yes.  There's no question there.

  I would like to discover *misconfiguration* quickly.  A reverse IP
check is cheap.  It's more expensive to have 100K customers hit your
proxy because an admin mis-configured something.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email