|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: False information: CEO of Versign facts are wrong
> > http://d.root-servers.org/october21.txt: > > > > 2.1. Some root name servers were unreachable from many parts of the > > global Internet due to congestion from the attack traffic delivered > > upstream/nearby. While all servers continued to answer all queries they > > received (due to successful overprovisioning of host resources), many > > valid queries were unable to reach some root name servers due to attack- > > related congestion effects, and thus went unanswered. > > > > While I'm not trying to act as Sclavos' apologist, I think you have to > > be careful about how you respond to this particular claim of his. You > > can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd > > have to be more convincing. > > Can Sclavos prove that the same thing did not happen to Verisign's > root servers? no. first, because it's impossible to prove a negative. second and moreso, because rob thomas and other public root server monitors showed congestion and loss toward a-root and j-root during that attack, depending on where they were coming from. that was true of all 13 server addresses, and the question is one of impact and degree, not one of 9 vs 13. but that's not even relevant. a ddos is as much an attack on its roads than on its destination. if there's a DS3 bottleneck somewhere between a querier and a responder, and if that DS3 has to carry more than ~45Mbits/second of ddos traffic due to the placement of attacking drones, then that querier is going to experience congestion and loss toward that responder. it makes no difference how much money is spent on the endpoints, there's no way to upgrade OPN's (other people's networks). that's why ultradns, and nominum before that, and several root server operators, are using anycast routing. (and even with anycast there can still be path congestion/loss, but those effects will be more isolated than without anycast.) by casting robustness in terms of investment, sclavos in his interview blurred three important points. first, that point-source investment cannot scale as well as multipoint investment -- i'm sure that more money is spent on f-root than on j-root, it's just that there are now 15 companies worldwide doing the paying, and we don't have a way to account for it. secondly, there have been many cases where less total investment in a root name server has led to higher observed robustness -- so investment isn't a direct issue. finally, sclavos described their investment in their gtld servers and then acted as if this investment had been solely for the benefit of their a-root and j-root servers, which is not the case at all. all in all a most disappointing exposition. -- Paul Vixie
|