nanog mailing list archives
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
From: Owen DeLong <owen () delong com>
Date: Sun, 25 Sep 2016 18:19:22 -0600
On Sep 24, 2016, at 8:47 AM, John Levine <johnl () iecc com> wrote:Well...by anycast, I meant BGP anycast, spreading the "target" geographically to a dozen or more well connected/peered origins. At that point, your ~600G DDoS might only be aroundanycast and tcp? the heck you say! :)People who've tried it say it works fine. Routes don't flap that often.
It’s not just about route flap. Imagine the following. For any two any cast points A,B, one can draw a simple Venn diagram of two circles with equal radii overlapping to form an OGIVE. Consider that everyone in the nonintersecting portion of circle A will reach server A without issue. Likewise, everyone in the nonintersecting portion of circle B will reach server B without issue. However, for some subset of those within the OGIVE, it’s entirely likely that they will, instead, be broken by ECMP to both A and B. Here’s where it gets tricky… The people running A and B are unlikely to ever know because of the layers between the end user trapped in the OGIVE and the people running A and B. Most likely, the end users will suffer in silence or go to another website for their needs. If this is a small enough fraction of users, then it won’t be statistically noticeable drop in overall traffic and A,B may never know. For those few end-users that may actually attempt to resolve the issue in some meaningful way, most likely they will call their ISP rather than the administrators of A,B and if their ISP does anything, rather than bug A,B, they will most likely simple make routing more deterministic for this site for this end-user. This is the nature of any cast and how any cast problems with TCP get solved (or don’t in most cases). It’s safe to ignore the silent minority that cannot really tell what is happening in most cases, but that doesn’t mean it “works” for any standard I would consider valid. Owen
Current thread:
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey, (continued)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ryan landry (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Patrick W. Gilmore (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Livingood, Jason (Sep 26)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Dale W. Carder (Sep 27)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Eygene Ryabinkin (Sep 27)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Baldur Norddahl (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Nick Hilliard (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Eliot Lear (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Ca By (Sep 24)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Chris Woodfield (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Owen DeLong (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mark Andrews (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Owen DeLong (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey John R. Levine (Sep 25)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey jim deleskie (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Filip Hruska (Sep 23)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Mel Beckman (Sep 23)