funsec mailing list archives
Re: UltraDNS: Internet Security Shield?
From: David Ulevitch <davidu () everydns net>
Date: Tue, 18 Oct 2005 08:55:51 -0700
On Oct 18, 2005, at 7:49 AM, David Dagon wrote:
The disaster or DDoS would have to overcome the use of anycast'd DNS. On this, see: http://www.isc.org/pubs/tn/isc-tn-2003-1.html
"Denial-of-service (DoS) or other malicious traffic is distributed with client query traffic. This can lead to the effects of an attack on a service being isolated to particular parts of the Internet, rather than causing impact network-wide."
I disagree. It all depends on the implementation.Let's say someone is using a /24 for anycast DNS (much like the current ARIN PPML Proposal on the table) and they are announcing it from multiple points on the internet without any aggregate covering the space under a larger announcement. If someone can direct enough traffic to one or two of the anycast instances enough to cause massive flapping across that ASN then they will effectively kill the entire anycast cloud.
Vixie and others are much more clued in regards to this than me but it seems like announcing a /24 for anycast DNS without any larger aggregate covering the space from at least one point would be easily taken down... But I could be wrong, my work and research with BGP is just over a year old -- still quite fresh. :-)
-david
And, yes, it needs to be studied (and is):http://www.caida.org/projects/oarc/200507/slides/oarc0507-Woolf- anycast.pdfFailure is also something that needs to be defined. Anycast'd DNS may stay up during a DDoS, but discrete users may be affected, and parts of the Internet might not be reachable from other parts. Is that a failure or a success story? Cheers, --David Dagon /"\ "When cryptography dagon () cc gatech edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl Ph.D. Student X AGAINST HTML MAIL bhgynjf jvyy unirGeorgia Inst. of Tech. / \ cevinpl." _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- UltraDNS: Internet Security Shield? Fergie (Paul Ferguson) (Oct 18)
- Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 18)
- Re: UltraDNS: Internet Security Shield? David Dagon (Oct 18)
- Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 18)
- Re: UltraDNS: Internet Security Shield? David Ulevitch (Oct 18)
- Re: UltraDNS: Internet Security Shield? Paul Vixie (Oct 18)
- Re: UltraDNS: Internet Security Shield? David Dagon (Oct 18)
- Re: UltraDNS: Internet Security Shield? John Payne (Oct 18)
- Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 19)
- Re: UltraDNS: Internet Security Shield? Tim Wilde (Oct 19)
- RE: UltraDNS: Internet Security Shield? Aditya Deshmukh (Oct 19)
- Re: UltraDNS: Internet Security Shield? Paul Vixie (Oct 19)
- Re: UltraDNS: Internet Security Shield? Jordan Wiens (Oct 18)
- Re: UltraDNS: Internet Security Shield? John Payne (Oct 19)