Roland, what methods are the easiest/cheapest way to deal with this? ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd skeeve@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> linkedin.com/in/skeeve experts360: https://expert360.com/profile/d54a9 twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering On Mon, Jun 30, 2014 at 8:12 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony@wicks.co.nz> wrote:
From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,
I've seen huge problems from compromised machines completely killing NATs from the southbound side.
what is needed however is session timeouts.
This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either.
---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön