Re: Cheap LSN/CGN/NAT444 Solution

[Skeeve Stevens <skeeve+nanog () eintellegonetworks com>]

Roland, what methods are the easiest/cheapest way to deal with this?


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
skeeve () eintellegonetworks com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 8:12 PM, Roland Dobbins <rdobbins () arbor net> wrote:

> On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony () wicks co nz> wrote:
>
> > From experience (we ran out of IPv4 a long time ago in the APNIC region)
> this is not needed,
>
> I've seen huge problems from compromised machines completely killing NATs
> from the southbound side.
>
> > what is needed however is session timeouts.
>
> This can help, but it isn't a solution to the botted/abusive machine
> problem.  They'll just keep right on pumping out packets and establishing
> new sessions, 'crowding out' legitimate users and filling up the
> state-table, maxing the CPU.  Embryonic connection limits and all that
> stuff aren't enough, either.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
>
>                    Equo ne credite, Teucri.
>
>                           -- Laocoön