nanog mailing list archives

Re: Cheap LSN/CGN/NAT444 Solution

From: Roland Dobbins <rdobbins () arbor net>
Date: Mon, 30 Jun 2014 17:12:17 +0700


On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony () wicks co nz> wrote:

From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,


I've seen huge problems from compromised machines completely killing NATs from the southbound side.

what is needed however is session timeouts.


This can help, but it isn't a solution to the botted/abusive machine problem.  They'll just keep right on pumping out 
packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU.  
Embryonic connection limits and all that stuff aren't enough, either.

----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

                          -- Laocoön

Current thread:

Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 29)
- Re: Cheap LSN/CGN/NAT444 Solution Robert Drake (Jun 29)
  - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - RE: Cheap LSN/CGN/NAT444 Solution Tony Wicks (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Simon Perreault (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Simon Perreault (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Stepan Kucherenko (Jun 30)
    - RE: Cheap LSN/CGN/NAT444 Solution Tony Wicks (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Valdis . Kletnieks (Jun 30)
  - Re: Cheap LSN/CGN/NAT444 Solution Mark Andrews (Jun 30)