I have about 2000 users behind a single NAT. I have been looking at netflow,
URL filter logs, IDS logs, etc. The traffic seems to be legit.
I am going to move more users to IPv6 and divide some of the subnets into
different NATS and see if that alleviates the traffic load.
Thanks for the advice.
-Philip
From: Damian Menscher <[email protected]>
To: Philip Lavine <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Friday, February 26, 2016 6:05 PM
Subject: Re: google search threshold
On Fri, Feb 26, 2016 at 3:01 PM, Philip Lavine via NANOG <[email protected]>
wrote:
Does anybody know what the threshold for google searches is before you get the
captcha?I am trying to decide if I need to break up the overload NAT to a pool.
There isn't a threshold -- if you send automated searches from an IP, then it
gets blocked (for a while).
So... this comes down to how much you trust your machines/users. If you're a
company with managed systems, then you can have thousands of users share the
same IP without problems. But if you're an ISP, you'll likely run into
problems much earlier (since users like their malware).
Some tips: - if you do NAT: try to partition users into pools so one abusive
user can't get all your external IPs blocked - if you have a proxy: make sure
it inserts the X-Forwarded-For header, and is restricted to your own users -
if you're an ISP: IPv6 will allow each user to have their own /64, which avoids
shared-fate from abusive ones
Damian (responsible for DDoS defense)-- Damian Menscher :: Security Reliability
Engineer :: Google :: AS15169
