[tac_plus] Re: DOS attack

john heasley heas at shrubbery.net
Fri Sep 28 23:40:12 UTC 2007


Thu, Sep 13, 2007 at 12:52:38PM -0600, Dan Schmidt:
> I was wondering if anybody was aware of any possible DOS attacks against
> tac_plus.  One of my coworkers expressed great concern that a DOS attack
> could confuse authentication or authorization to the point that the
> switch could not properly communicate with tac_plus and would not
> default to local.  (ie aaa authentication default group tacacs line)

Any AAA could have this problem.  exposure could be greatly reduced by
filtering properly on the server, limiting accounts on the server, and
possibly other ways.

> For this reason, he believes line con 0 should not use tacacs so that it
> can be a backup.  

that is one possible approach.  doesn't help your console server though and
now anyone who must use the console must have the password.

> I am aware that this may be a bad forum to ask such a question, but I
> thought that because the answer could relate directly to tac_plus I
> would ask this question here.  If there is a more appropriate place to
> inquire, please inform me. 

There are some lists about that deal specifically with DOS and/or security.


More information about the tac_plus mailing list