North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Anycast 101

  • From: Paul Vixie
  • Date: Mon Dec 20 12:58:11 2004

> > ... be vulnerable to congestion based attacks, since a congestion
> > based attack is against OPN's (other people's networks) where even
> > infinite point-source provisioning cannot help you.
> 	well, thats practically true, but not theoretically true.
> 	the DNS is running just fine thank you.  ddos attacks against
> 	OPNs is not an attack on the DNS per se, its on the clients in
> 	the OPN.  trying to ensure that every client has reachability
> 	to a given server set - FROM the SERVER side - is ultimately
> 	an exercise in futility.

i'm glad you said "every client" rather than "most clients".  in october
2002 there was a ddos against all 13 root server addresses, and several
of them were unicast (that's as in "not anycasted") behind DS3 links, and
these "failed" in that they became unreachable by "most clients".  of
course, as you also point out, it's the reachability of the "server set"
and not any particular server that matters.  "long live diversity!"

>	                         Servers/operators can only take
>	reasonable and prudent steps to try and ensure the service is
>	generally available -- micro managing DNS availablity to a
>	specific server set is the way to madness.

i'm really not sure i agree.  about the madness, that is.  i've heard of
plans to do inside-AS anycasting of dns content, such that interested
network operators could ddos-proof their view of a given server or
server-set as long as the ddos did not emanate from within that AS, and
i'm not sure that this is a bad business model given that BCP38 is still
"madness" to many of you reading this.

>	Anycast is a way to make the service generally available to as
>	many end-systems as want/need the service. So is multi-homing.
>	... long term, what is important is the view that there is a
>	common namespace, not that there are special servers.

sorry, that's just too deep for me today.

> 	little, in practice, can make a DNS service ddos proof.
> 	it can be done, but the side effects are worse than the cure.

being "worse" begs the question "worse for whom?", and for many, the
things that can be done to ddos-proof a service are not worse than the
ddos problem.  so i'll consider that you mean "worse for you" and i'll
wait to hear why that's true in your situation.  (it's not true in mine.)