On Mon, Oct 31, 2016 at 12:21 PM, Tony Finch <d...@dotat.at> wrote: > Jim Popovitch <jim...@gmail.com> wrote: >> >> It seems to me that anycast is probably much worse in the Mirai botnet >> scenario unless each node is pretty much as robust as a traditional >> unicast node. > > This blog post is a pretty good intro to how anycast can help with DDoS > mitgation, though I think Cloudflare are overstating how unique they are - > there are other older DNS services that distribute load over large anycast > clouds of commodity hardware. > > https://blog.cloudflare.com/how-cloudflares-architecture-allows-us-to-scale-to-stop-the-largest-attacks/ >
Thanks for linking that Tony. The take-away that I get from that article is that CF can deal with DDoS because of link capacity in each POP, and/or re-route legitimate traffic via BGP. The principle reason they can do this is because their main biz involves packets larger than those traditionally seen with DNS. The comments in that article mention 10 TB of capacity, how's that compare to any of the capacities of the various DNS providers? -Jim P. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
