[dns-operations] Anycast supernodes

Gavin Brown gavin.brown at centralnic.com
Wed Aug 14 13:22:25 UTC 2013


Dear colleagues,

I've come across a suggestion that an anycast DNS network should,
amongst the members of the network, include one "supernode" that's
provisioned with so much bandwidth and computing capacity that it can
withstand a DDoS attack of "almost any size". An attack could knock out
every other node in the network, but the overall service would keep
working because this node would remain up, handling all the traffic.

20Gbps has been suggested as an appropriately fat pipe, and presumably
there would have to be couple of racks filled with routers, switches,
load balancers and DNS servers at the end of it to answer the queries.

This approach means that Anycast is only really being used for
resilience and to improve response times during normal operations, and
that being able blackhole attack traffic is not a useful feature of Anycast.

Are there Anycast deployments out there that have supernodes like this?
I'm not aware of any. Now that there are attacks as big as 300Gbps,
could you ever rely on such a design to guarantee protection from DDoS
attacks?

Thanks,



More information about the dns-operations mailing list