[UNIX] DoS Attack Against FreeRADIUS (Other RADIUS Servers Affected)

From: support@securiteam.com
Date: 02/28/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 28 Feb 2002 15:14:08 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  DoS Attack Against FreeRADIUS (Other RADIUS Servers Affected)
------------------------------------------------------------------------

SUMMARY

The <http://www.freeradius.org> FreeRADIUS Server Project is an attempt
to create a high-performance and highly configurable GPL'd RADIUS server.
A security vulnerability in the product allows an attacker to overload the
program with failed requests causing a denial of service attack. Other
RADIUS implementations are suspected to be also vulnerable to the
mentioned issue.

DETAILS

Vulnerable systems:
FreeRADIUS version 0.3 and prior

Immune systems:
FreeRADIUS version 0.4

There was a report recently to the maintainers of FreeRADIUS of a DoS
attack against it. For background, FreeRADIUS is a free software RADIUS
authentication, authorization, and accounting server.

The attack was launched from a Nortel Shasta BSN 5000, by a user who
flooded the NAS with PPP requests containing an invalid password, over a
DSL link. All of the PPP requests failed, as when the NAS sent an
Access-Request to the RADIUS server, it responded with an Access-Reject
response, due to the invalid password.

However, the flood of Access-Request packets caused the server to
effectively lock up while the attack was in progress. The system load
during the attack was 60. When the attack stopped, the server resumed its
normal operation.

During the attack, few other users were able to authenticate, as the
server was busy processing the flood of requests from the attack.

The code was subsequently patched so that it would wait for a configurable
time before sending an Access-Reject to the NAS. This change caused the
NAS to ignore any new PPP requests from the problem user, until it
received a response from the RADIUS server. These changes are available in
the current CVS snapshot FreeRADIUS, and will be included in any
subsequent release.

Vendor response:
Nortel was contacted by the administrator of the NAS under attack, and
their apparent response was that it was not their job to limit RADIUS
traffic.

FreeRADIUS's examination of other freely available RADIUS implementations
indicates that most, if not all, of them would be vulnerable to the same
attack. Apparently many commercial RADIUS servers are also vulnerable.
Other NAS boxes may also contribute to the problem, by originating
non-rate-limited RADIUS packets.

A decent method of avoiding these problems is to place the RADIUS server
on a protected network, where the traffic to it may be controlled. Dial-up
users should not be able to route packets to the server, and packets from
the Internet should not be routable to the server. If proxying to another
site across the internet is required, then a secure transport protocol
like IPSec should be used.

In such a configuration, the server will be exposed to a minimum of
possible attacks.

ADDITIONAL INFORMATION

The information has been provided by <mailto:aland@freeradius.org> Alan
DeKok.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • RE: [Owasp-dotnet] Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model questio
    ... > b) Each client of the server (say, each department of a company, or each ... > c) Each website is placed into its own custom application pool ... password attack to all accounts. ... download the ANBS (Asp.Net Baseline Security) Open Source tool (that I ...
    (Pen-Test)
  • Re: ping Purl Gurl? Beginner Level Perl
    ... This is an excellent _free_ secondary DNS server, ... Both countries are technology Neandertals. ... Only worthy DoS attack we enjoyed is this one of which I recently ... For security, I run a commercial service remote hacker test against ...
    (alt.usage.english)
  • THANK YOU here are more details
    ... Microsoft Releases Fix for IE Phishing Exploit Security ... XP, Windows 2000, and Windows Server 2003 to address the ... which will prevent the Download.Ject attack. ...
    (microsoft.public.security)
  • RE: PHP and remote execution
    ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... prospectus based upon the core principle concepts of security. ...
    (Security-Basics)
  • RE: IAS as a RADIUS server
    ... I've been using IAS in a fairly large deployment here (about 10 production ... RADIUS is a pretty secure protocol itself, so as far as security I'd ... I am in the process on implanting a RADIUS server to authenticate users ...
    (Focus-Microsoft)