Cheap LSN/CGN/NAT444 Solution

Roland Dobbins rdobbins at arbor.net
Mon Jun 30 10:12:17 UTC 2014


On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony at wicks.co.nz> wrote:

> From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,

I've seen huge problems from compromised machines completely killing NATs from the southbound side.

> what is needed however is session timeouts. 

This can help, but it isn't a solution to the botted/abusive machine problem.  They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU.  Embryonic connection limits and all that stuff aren't enough, either.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön




More information about the NANOG mailing list