Cheap LSN/CGN/NAT444 Solution
Roland Dobbins
rdobbins at arbor.net
Mon Jun 30 10:12:17 UTC 2014
On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony at wicks.co.nz> wrote:
> From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,
I've seen huge problems from compromised machines completely killing NATs from the southbound side.
> what is needed however is session timeouts.
This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either.
----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
More information about the NANOG
mailing list