|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Anycast 101
> > Anycast is a way to make the service generally available to as > > many end-systems as want/need the service. So is multi-homing. > > ... long term, what is important is the view that there is a > > common namespace, not that there are special servers. > > sorry, that's just too deep for me today. more eggnog. if the client can ensure that the data asked for came from an authentic source and arrived intact, does it really matter the path or intermediate nodes taken to get the data? > > little, in practice, can make a DNS service ddos proof. > > it can be done, but the side effects are worse than the cure. > > being "worse" begs the question "worse for whom?", and for many, the > things that can be done to ddos-proof a service are not worse than the > ddos problem. so i'll consider that you mean "worse for you" and i'll > wait to hear why that's true in your situation. (it's not true in mine.) ddos proof DNS service can be had in one way - don't run DNS. - moving up from there, air-gaps, running the service on non-networked interfaces, e.g. ::1, augmenting the DNS service with "bodyguard" support services, e.g. ACLs, firewalls, router filters ad.nasusa, use of strong crypto (signed data, transaction signatures) et.al. ... everyone invites attacks by disaffected or bored, the students trying to pass Dr. JBs classes, the vaguely curious, the helpful, the application developers who optimise locally at the expense of others, and the down-right hostile. if you run DNS - they WILL come. ddos resistant is a moving target. the techniques you use are based on the deployment choices you make. they will not n'cssly be the same as i, or anyone else, might use. as usual, YMMV, --bill
|