Cheap LSN/CGN/NAT444 Solution
Simon Perreault
simon at per.reau.lt
Mon Jun 30 12:42:15 UTC 2014
Le 2014-06-30 06:12, Roland Dobbins a écrit :
>> what is needed however is session timeouts.
> This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either.
Why? Cause that (per-subscriber limits on ports and memory) is exactly
what we recommend in RFC 6888...
Simon
More information about the NANOG
mailing list