On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony@wicks.co.nz> wrote:
From experience (we ran out of IPv4 a long time ago in the APNIC region) this is not needed,
I've seen huge problems from compromised machines completely killing NATs from the southbound side.
what is needed however is session timeouts.
This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön