Re: False information: CEO of Versign facts are wrong

[Paul Vixie <vixie () vix com>]

> > http://d.root-servers.org/october21.txt:
> >
> >    2.1. Some root name servers were unreachable from many parts of the
> >    global Internet due to congestion from the attack traffic delivered
> >    upstream/nearby.  While all servers continued to answer all queries they
> >    received (due to successful overprovisioning of host resources), many
> >    valid queries were unable to reach some root name servers due to attack-
> >    related congestion effects, and thus went unanswered.
> >
> > While I'm not trying to act as Sclavos' apologist, I think you have to
> > be careful about how you respond to this particular claim of his.  You
> > can't dismiss it out-of-hand.  Misleading?  Yes.  Flat out false?  You'd
> > have to be more convincing.
>
> Can Sclavos prove that the same thing did not happen to Verisign's
> root servers?

no.  first, because it's impossible to prove a negative.  second and moreso,
because rob thomas and other public root server monitors showed congestion
and loss toward a-root and j-root during that attack, depending on where they
were coming from.  that was true of all 13 server addresses, and the question
is one of impact and degree, not one of 9 vs 13.

but that's not even relevant.  a ddos is as much an attack on its roads than
on its destination.  if there's a DS3 bottleneck somewhere between a querier
and a responder, and if that DS3 has to carry more than ~45Mbits/second of
ddos traffic due to the placement of attacking drones, then that querier is
going to experience congestion and loss toward that responder.  it makes no
difference how much money is spent on the endpoints, there's no way to
upgrade OPN's (other people's networks).  that's why ultradns, and nominum
before that, and several root server operators, are using anycast routing.
(and even with anycast there can still be path congestion/loss, but those
effects will be more isolated than without anycast.)

by casting robustness in terms of investment, sclavos in his interview
blurred three important points.  first, that point-source investment cannot
scale as well as multipoint investment -- i'm sure that more money is spent
on f-root than on j-root, it's just that there are now 15 companies worldwide
doing the paying, and we don't have a way to account for it.  secondly, there
have been many cases where less total investment in a root name server has
led to higher observed robustness -- so investment isn't a direct issue.
finally, sclavos described their investment in their gtld servers and then
acted as if this investment had been solely for the benefit of their a-root
and j-root servers, which is not the case at all.

all in all a most disappointing exposition.
-- 
Paul Vixie