Roland, what methods are the easiest/cheapest way to deal with this?
...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> linkedin.com/in/skeeve experts360: https://expert360.com/profile/d54a9 twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering On Mon, Jun 30, 2014 at 8:12 PM, Roland Dobbins <rdobb...@arbor.net> wrote: > > On Jun 30, 2014, at 4:53 PM, Tony Wicks <t...@wicks.co.nz> wrote: > > > From experience (we ran out of IPv4 a long time ago in the APNIC region) > this is not needed, > > I've seen huge problems from compromised machines completely killing NATs > from the southbound side. > > > what is needed however is session timeouts. > > This can help, but it isn't a solution to the botted/abusive machine > problem. They'll just keep right on pumping out packets and establishing > new sessions, 'crowding out' legitimate users and filling up the > state-table, maxing the CPU. Embryonic connection limits and all that > stuff aren't enough, either. > > ---------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > Equo ne credite, Teucri. > > -- Laocoön > >
