nanog mailing list archives

Re: Cheap LSN/CGN/NAT444 Solution

From: Simon Perreault <simon () per reau lt>
Date: Mon, 30 Jun 2014 08:42:15 -0400

Le 2014-06-30 06:12, Roland Dobbins a écrit :

what is needed however is session timeouts.

This can help, but it isn't a solution to the botted/abusive machine problem.  They'll just keep right on pumping out packets and 
establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU.  Embryonic connection 
limits and all that stuff aren't enough, either.

Why? Cause that (per-subscriber limits on ports and memory) is exactlywhat we recommend in RFC 6888...


Simon

Current thread:

Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 29)
- Re: Cheap LSN/CGN/NAT444 Solution Robert Drake (Jun 29)
  - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - RE: Cheap LSN/CGN/NAT444 Solution Tony Wicks (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Simon Perreault (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Simon Perreault (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
    - Re: Cheap LSN/CGN/NAT444 Solution Stepan Kucherenko (Jun 30)
    - RE: Cheap LSN/CGN/NAT444 Solution Tony Wicks (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Valdis . Kletnieks (Jun 30)
  - Re: Cheap LSN/CGN/NAT444 Solution Mark Andrews (Jun 30)