North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anycast 101

  • From: bmanning
  • Date: Mon Dec 20 12:36:21 2004

> > With that thought process, an anycast network is only as it's most
> > beefed up node.  As the smaller nodes fail the one left standing will
> > be what prevents the attack, not anycast.
> i admit that this appears true on the surface... but if you dig into it
> you'll see that even a root name server with 10,000 direct 10GigE
> connections (one for every autonomous system in the internet) would
> still be vulnerable to congestion based attacks, since a congestion
> based attack is against OPN's (other people's networks) where even
> infinite point-source provisioning cannot help you.

	well, thats practically true, but not theoretically true.
	the DNS is running just fine thank you.  ddos attacks against
	OPNs is not an attack on the DNS per se, its on the clients in
	the OPN.  trying to ensure that every client has reachability
	to a given server set - FROM the SERVER side - is ultimately
	an exercise in futility.  Servers/operators can only take reasonable
	and prudent steps to try and ensure the service is generally available
	-- micro managing DNS availablity to a specific server set is the
	way to madness.   Anycast is a way to make the service generally
	available to as many end-systems as want/need the service. So is
	multi-homing.  ...  long term, what is important is the view that
	there is a common namespace, not that there are special servers.

> > Can you explain to me how anycast would prevent this?
> i knew, at the time i wrote the words "ddos resistant" in this thread,
> that at least one person would think i meant "ddos proof".  in wristwatches,
> "water resistant" means you can shower or bathe while wearing the device,
> but only "water proof" means you can scuba dive with it.  anycast makes a
> dns service more ddos resistant.  nothing can make a dns service ddos proof.

	little, in practice, can make a DNS service ddos proof.
	it can be done, but the side effects are worse than the cure.

--bill (ducking back into the background)