nanog mailing list archives

Re: Anycast 101

From: Paul Vixie <paul () vix com>
Date: Mon, 20 Dec 2004 17:57:01 +0000

... be vulnerable to congestion based attacks, since a congestion
based attack is against OPN's (other people's networks) where even
infinite point-source provisioning cannot help you.


      well, thats practically true, but not theoretically true.
      the DNS is running just fine thank you.  ddos attacks against
      OPNs is not an attack on the DNS per se, its on the clients in
      the OPN.  trying to ensure that every client has reachability
      to a given server set - FROM the SERVER side - is ultimately
      an exercise in futility.


i'm glad you said "every client" rather than "most clients".  in october
2002 there was a ddos against all 13 root server addresses, and several
of them were unicast (that's as in "not anycasted") behind DS3 links, and
these "failed" in that they became unreachable by "most clients".  of
course, as you also point out, it's the reachability of the "server set"
and not any particular server that matters.  "long live diversity!"

                               Servers/operators can only take
      reasonable and prudent steps to try and ensure the service is
      generally available -- micro managing DNS availablity to a
      specific server set is the way to madness.


i'm really not sure i agree.  about the madness, that is.  i've heard of
plans to do inside-AS anycasting of dns content, such that interested
network operators could ddos-proof their view of a given server or
server-set as long as the ddos did not emanate from within that AS, and
i'm not sure that this is a bad business model given that BCP38 is still
"madness" to many of you reading this.

      Anycast is a way to make the service generally available to as
      many end-systems as want/need the service. So is multi-homing.
      ... long term, what is important is the view that there is a
      common namespace, not that there are special servers.


sorry, that's just too deep for me today.

      little, in practice, can make a DNS service ddos proof.
      it can be done, but the side effects are worse than the cure.


being "worse" begs the question "worse for whom?", and for many, the
things that can be done to ddos-proof a service are not worse than the
ddos problem.  so i'll consider that you mean "worse for you" and i'll
wait to hear why that's true in your situation.  (it's not true in mine.)

Current thread:

Re: Anycast 101, (continued)
- - - Re: Anycast 101 Paul Vixie (Dec 20)
    - Re: Anycast 101 Petri Helenius (Dec 20)
    - Re: Anycast 101 Paul Vixie (Dec 20)
- Re: Anycast 101 Fergie (Paul Ferguson) (Dec 17)
  - Re: Anycast 101 Richard Irving (Dec 17)
- RE: Anycast 101 Hannigan, Martin (Dec 17)
  - Re: Anycast 101 vijay gill (Dec 17)
  - Re: Anycast 101 Richard Irving (Dec 17)
- Re: Anycast 101 Paul Vixie (Dec 20)
  - Re: Anycast 101 bmanning (Dec 20)
    - Re: Anycast 101 Paul Vixie (Dec 20)
    - Re: Anycast 101 bmanning (Dec 20)
  - Re: Anycast 101 John Kristoff (Dec 20)
    - how many zombies? [was: Re: Anycast 101] Gadi Evron (Dec 20)
- RE: Anycast 101 Hannigan, Martin (Dec 20)
  - RE: Anycast 101 Bill Nash (Dec 20)
- RE: Anycast 101 Hannigan, Martin (Dec 20)
  - Re: Anycast 101 Gadi Evron (Dec 20)
  - RE: Anycast 101 Bill Nash (Dec 20)
    - Re: Anycast 101 Gadi Evron (Dec 20)
- RE: Anycast 101 Hannigan, Martin (Dec 20)

(Thread continues...)