On Aug 14, 2013, at 6:22 AM, Gavin Brown <[email protected]> wrote: > I've come across a suggestion that an anycast DNS network should, amongst the > members of the network, include one "supernode" that's provisioned with so > much bandwidth and computing capacity that it can withstand a DDoS attack of > "almost any size".
Best practice is to include a _subset_, generally more than one, that have
global transit, as opposed to just regional peering, for the purpose you cite.
We're moving from ten global nodes to twenty, currently.
All nodes should be able to withstand a DDoS originating from the set of
machines to which it's visible. Globally-visible nodes must thus be able to
withstand much larger DDoSes than nodes that are only visible through peering,
to a limited set of machines.
> An attack could knock out every other node in the network, but the overall
> service would keep working because this node would remain up, handling all
> the traffic.
This is not correct. A DDoS will not knock out all of the local nodes, because
(a) things don't scale that way, and (b) it won't be able to reach all of the
local nodes. If anything, a large DDoS will knock out a too-small pool of
globally-visible nodes, while many much smaller ones will remain up, serving
their local constituencies.
> 20Gbps has been suggested as an appropriately fat pipe
We do 40, but yeah, 20 is better than less.
> This approach means that Anycast is only really being used for
> resilience and to improve response times…
Yes…
> ...during normal operations, and that being able blackhole attack traffic is
> not a useful feature of Anycast.
…but I'm not sure where you're going with this part. I think being able to
drop attack traffic while answering valid queries is a central goal for any DNS
system. It's not a "feature of anycast" per se.
> Are there Anycast deployments out there that have supernodes like this?
All the mature ones have multiple supernodes like this. They're generally
called "global nodes," since they're distinguished by their global transit
routing, rather than by being larger, although that's also true for many or
most of them.
> Now that there are attacks as big as 300Gbps,
> could you ever rely on such a design to guarantee protection from DDoS
> attacks?
Do the math.
-Bill Woodcock
Research Director
Packet Clearing House
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
