[dns-operations] Anycast supernodes

[Paul Vixie]

Gavin Brown wrote:
> Dear colleagues,
>
> I've come across a suggestion that an anycast DNS network should,
> amongst the members of the network, include one "supernode" that's
> provisioned with so much bandwidth and computing capacity that it can
> withstand a DDoS attack of "almost any size". An attack could knock out
> every other node in the network, but the overall service would keep
> working because this node would remain up, handling all the traffic.

that's crazy.

>
> 20Gbps has been suggested as an appropriately fat pipe, and presumably
> there would have to be couple of racks filled with routers, switches,
> load balancers and DNS servers at the end of it to answer the queries.
>
> This approach means that Anycast is only really being used for
> resilience and to improve response times during normal operations, and
> that being able blackhole attack traffic is not a useful feature of Anycast.
>
> Are there Anycast deployments out there that have supernodes like this?
> I'm not aware of any. Now that there are attacks as big as 300Gbps,
> could you ever rely on such a design to guarantee protection from DDoS
> attacks?

just as a law stating that pi=3.0 does not change the shape of a circle,
so it is that declaring something a supernode does not make it so. there
is no such thing as ddos-proof.

anycast's principle contribution is failure isolation, not resiliency.
anycast partitions the attack surface and makes ddosers do additional
work to partition their attacks.

vixie