nanog mailing list archives
Re: False information: CEO of Versign facts are wrong
From: Paul Vixie <vixie () vix com>
Date: 17 Oct 2003 22:05:37 +0000
http://d.root-servers.org/october21.txt: 2.1. Some root name servers were unreachable from many parts of the global Internet due to congestion from the attack traffic delivered upstream/nearby. While all servers continued to answer all queries they received (due to successful overprovisioning of host resources), many valid queries were unable to reach some root name servers due to attack- related congestion effects, and thus went unanswered. While I'm not trying to act as Sclavos' apologist, I think you have to be careful about how you respond to this particular claim of his. You can't dismiss it out-of-hand. Misleading? Yes. Flat out false? You'd have to be more convincing.Can Sclavos prove that the same thing did not happen to Verisign's root servers?
no. first, because it's impossible to prove a negative. second and moreso, because rob thomas and other public root server monitors showed congestion and loss toward a-root and j-root during that attack, depending on where they were coming from. that was true of all 13 server addresses, and the question is one of impact and degree, not one of 9 vs 13. but that's not even relevant. a ddos is as much an attack on its roads than on its destination. if there's a DS3 bottleneck somewhere between a querier and a responder, and if that DS3 has to carry more than ~45Mbits/second of ddos traffic due to the placement of attacking drones, then that querier is going to experience congestion and loss toward that responder. it makes no difference how much money is spent on the endpoints, there's no way to upgrade OPN's (other people's networks). that's why ultradns, and nominum before that, and several root server operators, are using anycast routing. (and even with anycast there can still be path congestion/loss, but those effects will be more isolated than without anycast.) by casting robustness in terms of investment, sclavos in his interview blurred three important points. first, that point-source investment cannot scale as well as multipoint investment -- i'm sure that more money is spent on f-root than on j-root, it's just that there are now 15 companies worldwide doing the paying, and we don't have a way to account for it. secondly, there have been many cases where less total investment in a root name server has led to higher observed robustness -- so investment isn't a direct issue. finally, sclavos described their investment in their gtld servers and then acted as if this investment had been solely for the benefit of their a-root and j-root servers, which is not the case at all. all in all a most disappointing exposition. -- Paul Vixie
Current thread:
- False information: CEO of Versign facts are wrong Sean Donelan (Oct 18)
- Re: False information: CEO of Versign facts are wrong Brian Bruns (Oct 18)
- Re: False information: CEO of Versign facts are wrong Mark Boolootian (Oct 18)
- Re: False information: CEO of Versign facts are wrong ken emery (Oct 18)
- Re: False information: CEO of Versign facts are wrong Paul Vixie (Oct 18)
- Re: False information: CEO of Versign facts are wrong Paul Vixie (Oct 18)
- Re: False information: CEO of Versign facts are wrong ken emery (Oct 18)
- Re: False information: CEO of Versign facts are wrong Kevin Oberman (Oct 18)
- Re: False information: CEO of Versign facts are wrong Brian Bruns (Oct 18)
- Re: False information: CEO of Versign facts are wrong Brian Bruns (Oct 18)
- Re: False information: CEO of Versign facts are wrong Dave Crocker (Oct 18)