Gavin Brown wrote: > Dear colleagues, > > I've come across a suggestion that an anycast DNS network should, > amongst the members of the network, include one "supernode" that's > provisioned with so much bandwidth and computing capacity that it can > withstand a DDoS attack of "almost any size". An attack could knock out > every other node in the network, but the overall service would keep > working because this node would remain up, handling all the traffic.
that's crazy. > > 20Gbps has been suggested as an appropriately fat pipe, and presumably > there would have to be couple of racks filled with routers, switches, > load balancers and DNS servers at the end of it to answer the queries. > > This approach means that Anycast is only really being used for > resilience and to improve response times during normal operations, and > that being able blackhole attack traffic is not a useful feature of Anycast. > > Are there Anycast deployments out there that have supernodes like this? > I'm not aware of any. Now that there are attacks as big as 300Gbps, > could you ever rely on such a design to guarantee protection from DDoS > attacks? just as a law stating that pi=3.0 does not change the shape of a circle, so it is that declaring something a supernode does not make it so. there is no such thing as ddos-proof. anycast's principle contribution is failure isolation, not resiliency. anycast partitions the attack surface and makes ddosers do additional work to partition their attacks. vixie _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
