Cheap LSN/CGN/NAT444 Solution

Roland Dobbins rdobbins at
Mon Jun 30 10:12:17 UTC 2014

On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony at> wrote:

> From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,

I've seen huge problems from compromised machines completely killing NATs from the southbound side.

> what is needed however is session timeouts. 

This can help, but it isn't a solution to the botted/abusive machine problem.  They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU.  Embryonic connection limits and all that stuff aren't enough, either.

Roland Dobbins <rdobbins at> // <>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön

More information about the NANOG mailing list