[AusNOG] RADIUS over UDP on public networks deprecated.
John Edwards
jaedwards at gmail.com
Thu Jul 11 14:28:15 AEST 2024
FWIW, this "vulnerability" was being exploited as early as 2003 when
certain ADSL routers had a defect that caused them to overwhelm
authentication servers that still had forking modes of operation best
suited to a dialup environment. Basically if they were denied
authentication the routers would immediately retry with the same
credentials, at a rate of about 15 times per second.
We would forge "accept" packets to quarantine the dirty routers as a way of
resolving a race condition that otherwise created a cascading denial of
service. Not long after we switched to using Radiator which didn't have
this problem.
I don't believe that anyone ever expected UDP RADIUS packets to traverse
public networks, although I suppose I am not surprised this needs to be
announced as a threat.
John
On Thu, 11 Jul 2024 at 12:19, David Beveridge <dave at bevhost.com> wrote:
> CVE-2024-3596
>
> https://www.helpnetsecurity.com/2024/07/09/blastradius-radius-protocol-vulnerability/
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240711/4d19235c/attachment.htm>
More information about the AusNOG
mailing list