Cheap LSN/CGN/NAT444 Solution

Simon Perreault simon at per.reau.lt
Mon Jun 30 12:42:15 UTC 2014


Le 2014-06-30 06:12, Roland Dobbins a écrit :
>> what is needed however is session timeouts.
> This can help, but it isn't a solution to the botted/abusive machine problem.  They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU.  Embryonic connection limits and all that stuff aren't enough, either.

Why? Cause that (per-subscriber limits on ports and memory) is exactly 
what we recommend in RFC 6888...

Simon



More information about the NANOG mailing list