[172672] in North American Network Operators' Group
Re: Cheap LSN/CGN/NAT444 Solution
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Mon Jun 30 06:12:32 2014
X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <004701cf9449$1eebd850$5cc388f0$@wicks.co.nz>
Date: Mon, 30 Jun 2014 17:12:17 +0700
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony@wicks.co.nz> wrote:
> =46rom experience (we ran out of IPv4 a long time ago in the APNIC =
region) this is not needed,
I've seen huge problems from compromised machines completely killing =
NATs from the southbound side.
> what is needed however is session timeouts.=20
This can help, but it isn't a solution to the botted/abusive machine =
problem. They'll just keep right on pumping out packets and =
establishing new sessions, 'crowding out' legitimate users and filling =
up the state-table, maxing the CPU. Embryonic connection limits and all =
that stuff aren't enough, either.
----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laoco=F6n
