Le 2014-06-30 06:12, Roland Dobbins a écrit :
what is needed however is session timeouts.
This can help, but it isn't a solution to the botted/abusive machine problem.
They'll just keep right on pumping out packets and establishing new sessions,
'crowding out' legitimate users and filling up the state-table, maxing the CPU.
Embryonic connection limits and all that stuff aren't enough, either.
Why? Cause that (per-subscriber limits on ports and memory) is exactly
what we recommend in RFC 6888...
Simon
