nanog mailing list archives

Re: Cheap LSN/CGN/NAT444 Solution

From: Roland Dobbins <rdobbins () arbor net>
Date: Tue, 1 Jul 2014 13:33:42 +0700


On Jul 1, 2014, at 7:03 AM, Skeeve Stevens <skeeve+nanog () eintellegonetworks com> wrote:

Roland, what methods are the easiest/cheapest way to deal with this?


Ensure you have visibility into your traffic southbound of the NAT - flow telemetry generally works best for this, and 
there are plenty of open-source solutions around which allow folks to get up and running quickly.

Then deploy either S/RTBH or flowspec on the aggregation routers southbound of the NAT.  This makes is easy to squelch 
compromised/abusive hosts.

It might also be worth considering sticking some Web proxies (transparent ones clustered via WCCPv2, if available) 
southbound of the NAT, as well; while the bandwidth savings may be a wash due to dynamic content, SSL, etc. (all highly 
variable based upon user behavior), TCP sessions for Web requests from hosts southbound of the NAT will terminate on 
the proxies, which provide a good point to perform filtering on an as-needed basis.

----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

                          -- Laocoön

Current thread:

Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 30)
- <Possible follow-ups>
- Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 30)
  - Re: Cheap LSN/CGN/NAT444 Solution Roland Dobbins (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jun 30)
  - Re: Cheap LSN/CGN/NAT444 Solution Owen DeLong (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Owen DeLong (Jun 30)
- Re: Cheap LSN/CGN/NAT444 Solution Skeeve Stevens (Jul 07)
  - Re: Cheap LSN/CGN/NAT444 Solution Daniel Corbe (Jul 07)