[172692] in North American Network Operators' Group
Re: Cheap LSN/CGN/NAT444 Solution
daemon@ATHENA.MIT.EDU (Skeeve Stevens)
Mon Jun 30 20:07:54 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <81415AF7-4DC7-4A91-9D6E-4A596C4F9B73@arbor.net>
From: Skeeve Stevens <skeeve+nanog@eintellegonetworks.com>
Date: Tue, 1 Jul 2014 10:03:40 +1000
To: Roland Dobbins <rdobbins@arbor.net>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Roland, what methods are the easiest/cheapest way to deal with this?
...Skeeve
*Skeeve Stevens - *eintellego Networks Pty Ltd
skeeve@eintellegonetworks.com ; www.eintellegonetworks.com
Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau>
linkedin.com/in/skeeve
experts360: https://expert360.com/profile/d54a9
twitter.com/theispguy ; blog: www.theispguy.com
The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
On Mon, Jun 30, 2014 at 8:12 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
>
> On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony@wicks.co.nz> wrote:
>
> > From experience (we ran out of IPv4 a long time ago in the APNIC region=
)
> this is not needed,
>
> I've seen huge problems from compromised machines completely killing NATs
> from the southbound side.
>
> > what is needed however is session timeouts.
>
> This can help, but it isn't a solution to the botted/abusive machine
> problem. They'll just keep right on pumping out packets and establishing
> new sessions, 'crowding out' legitimate users and filling up the
> state-table, maxing the CPU. Embryonic connection limits and all that
> stuff aren't enough, either.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Equo ne credite, Teucri.
>
> -- Laoco=C3=B6n
>
>
