[172673] in North American Network Operators' Group
Re: Cheap LSN/CGN/NAT444 Solution
daemon@ATHENA.MIT.EDU (Simon Perreault)
Mon Jun 30 08:44:17 2014
X-Original-To: nanog@nanog.org
Date: Mon, 30 Jun 2014 08:42:15 -0400
From: Simon Perreault <simon@per.reau.lt>
To: nanog@nanog.org
In-Reply-To: <81415AF7-4DC7-4A91-9D6E-4A596C4F9B73@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Le 2014-06-30 06:12, Roland Dobbins a écrit :
>> what is needed however is session timeouts.
> This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either.
Why? Cause that (per-subscriber limits on ports and memory) is exactly
what we recommend in RFC 6888...
Simon
