[172701] in North American Network Operators' Group
Re: Cheap LSN/CGN/NAT444 Solution
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue Jul 1 04:09:55 2014
X-Original-To: nanog@nanog.org
From: Roland Dobbins <rdobbins@arbor.net>
In-Reply-To: <CAEUfUGMTHiHfD_iz4QZwyMk7pmAkOPUVmOrQe60f-UdEyA8Z6w@mail.gmail.com>
Date: Tue, 1 Jul 2014 13:33:42 +0700
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Jul 1, 2014, at 7:03 AM, Skeeve Stevens =
<skeeve+nanog@eintellegonetworks.com> wrote:
> Roland, what methods are the easiest/cheapest way to deal with this? =20=
Ensure you have visibility into your traffic southbound of the NAT - =
flow telemetry generally works best for this, and there are plenty of =
open-source solutions around which allow folks to get up and running =
quickly.
Then deploy either S/RTBH or flowspec on the aggregation routers =
southbound of the NAT. This makes is easy to squelch =
compromised/abusive hosts.
It might also be worth considering sticking some Web proxies =
(transparent ones clustered via WCCPv2, if available) southbound of the =
NAT, as well; while the bandwidth savings may be a wash due to dynamic =
content, SSL, etc. (all highly variable based upon user behavior), TCP =
sessions for Web requests from hosts southbound of the NAT will =
terminate on the proxies, which provide a good point to perform =
filtering on an as-needed basis.
----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laoco=F6n
