On Jun 30, 2014, at 4:53 PM, Tony Wicks <t...@wicks.co.nz> wrote: > From experience (we ran out of IPv4 a long time ago in the APNIC region) this > is not needed,
I've seen huge problems from compromised machines completely killing NATs from the southbound side. > what is needed however is session timeouts. This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either. ---------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
