DOS/DDOS attack vulnerability for domain users when AD+RADIUS authentication is enabled

Hey everyone,

today a colleague pointed out, that random domain users could be locked out of our domain by simply trying to authenticate with an invalid username/password combination against SSL VPN for two times. After analyzing this I found that in our setup, the login process queries both of our RADIUS servers and, after that, all domain controllers with the wrong credentials. Doing this twice effectively means six queries against the AD. And because we lock a user account after five tries, the account is then locked out. Guessing domain account names is pretty easy.

The user authentication daemon log file then looks something like this:

srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying X.Y.Z.A (radius)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  A.B.C.D (radius)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  B.C.D.E (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  C.D.E.F (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  D.E.F.G (adirectory)"
2016:08:11-12:14:15 m-2 aua[5762]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"

srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying X.Y.Z.A (radius)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  A.B.C.D (radius)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  B.C.D.E (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  C.D.E.F (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3006" severity="info" sys="System" sub="auth" name="Trying  D.E.F.G (adirectory)"
2016:08:11-12:14:17 m-2 aua[5762]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="Z.Y.X.W" host="" user="test" caller="openvpn" reason="DENIED"

I understand, that there might be different backend systems, that all have different user databases and need to be queried, but in our case, these DC servers are just listed in the Authentication Servers tab for redundancy.

Is there anything I can do, to prevent this behaviour? I need both DCs and RADIUS servers for authentication. WebAdmin login is authorized against AD and SSL VPN is checked against RADIUS (OTP and PIN).

Any ideas are welcome.

Thanks

asc