BLAST-RADIUS is an attack against RADIUS server by forging a response packet with a MD5 collision  and injecting a malicious Proxy-State attribute. The plan is to have that packet rejected and submit a new response with credentials to acquire access to a better class of customer with higher rewards when successfully hacked.

The server was hardened against Blast-RADIUS in September 2001 when the Message-Authenticator attribute was introduced. Virtually no server administrators enabled the Message-Authenticator (MA) since hardly any clients bothered to implement it. The inclusion of the Message-Authenticator is more common with more servers using EAP-Message attributes (required)  but use is still limited in non EAP packets. The AXL RADIUS  Server could enforce the MA for all clients but administrators of clients would not require mandatory use. Accounting packets simply cannot contain MA’s.

Even though the Message-Authenticator was poorly accepted an additional protection in the Proxy-State attribute was introduced in October 1999 during initial coding.  A random prefix signature is prepended to legitimate AXL RADIUS Proxy-State information.  Receipt of a  packet with one or more Proxy-State  attributes are checked by the AXLRADIUS Server for at least one Proxy-State with the signature .

The initial purpose was to find our Proxy-State if the list was out of order and drop the packet if no Proxy-State for the local server was found.

Failure  to find  the  signature prevents any further processing . Therefore any Proxy-State data injected by Blast-RADIUS is highly unlikely to accidently produce the signature format in the collision data it places in the Proxy-State attribute(s).  Since  the  prefix signature  is missing the packet is silently dropped thwarting the  rest of the attack to log in  with fake credentials or provide fake accounting information.