black listing of web traffic

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 9 18:28:33 CST 2010


On Tue, 09 Feb 2010 17:44:01 EST, Andrey Gordon said:

> It does seem much like NAT exhaustion even though the f/w claims only 13K
> session for two dynamic NATs and about 20 static ones.
> What I don't get is why there is consistency in opening sites. Why does
> facebook open all the time and store.apple.com barely opens all the time.

This sounds like possibly a hash table with a spectacularly poor hash function,
causing most of your entries to be in only a few hash buckets.  You hit one
of the 497 buckets that has 0 or 1 or 3 entries, it works great. You hit one
of 3 buckets that has 4,000+ entries in it, things suck. (You Linux geeks
can quit smirking - Linux had a very similar issue in its networking stack
not so long ago).

Never underestimate the ability of vendor engineers to write hilariously
poor code:

http://thedailywtf.com/Articles/Else-where.aspx

You really gotta assume that your firewall code (or any other code, for that
matter) was written by that programmer until proved otherwise.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100209/976af539/attachment.bin>


More information about the NANOG mailing list