Dear colleagues, I've come across a suggestion that an anycast DNS network should, amongst the members of the network, include one "supernode" that's provisioned with so much bandwidth and computing capacity that it can withstand a DDoS attack of "almost any size". An attack could knock out every other node in the network, but the overall service would keep working because this node would remain up, handling all the traffic.
20Gbps has been suggested as an appropriately fat pipe, and presumably there would have to be couple of racks filled with routers, switches, load balancers and DNS servers at the end of it to answer the queries. This approach means that Anycast is only really being used for resilience and to improve response times during normal operations, and that being able blackhole attack traffic is not a useful feature of Anycast. Are there Anycast deployments out there that have supernodes like this? I'm not aware of any. Now that there are attacks as big as 300Gbps, could you ever rely on such a design to guarantee protection from DDoS attacks? Thanks, _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
