[tac_plus] seeing lots of Read -1 bytes from router.example.net , expecting 12

Asif Iqbal vadud3 at gmail.com
Sat Jun 2 18:07:57 UTC 2012


On Sat, Jun 2, 2012 at 1:38 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

> On Sat, Jun 2, 2012 at 2:46 AM, Kiss Gabor (Bitman) <kissg at ssg.ki.iif.hu>wrote:
>
>> > Am I experiencing a bug?
>> >
>> > I am running tac_plus F4.0.4.19
>> >
>> > I see 110444 of the following type of error in 14 hrs.
>> >
>> > Jun  1 16:36:27 hlr-tacacs-01 tac_plus[17512]: Read -1 bytes from
>> > router.example.net , expecting 12
>>
>> It seems to be rather an "attack".
>>
>
> This is valid traffic, not an attack.
>
>
>> Somebody continously connect to router.example.net then disconnects.
>> The router does the same with your TACACS+ server.
>>
>> Gabor
>>
>
>
How do I verify if those are keep-alive requests. This url suggests I am
experiencing those keep-alive
chats

 http://blog.xbsd.org/2010/10/20/cisco-css-and-tacacs

I have thousands of routers. It would be lot of work to add the disable in
all of them.
Is there may be another approach to this short from ignoring this massive
amount
of noises?


>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120602/51051a58/attachment.html>


More information about the tac_plus mailing list