[dns-operations] Anycast supernodes

Bill Woodcock woody at pch.net
Wed Aug 14 13:51:26 UTC 2013

On Aug 14, 2013, at 6:22 AM, Gavin Brown <gavin.brown at centralnic.com> wrote:
> I've come across a suggestion that an anycast DNS network should, amongst the members of the network, include one "supernode" that's provisioned with so much bandwidth and computing capacity that it can withstand a DDoS attack of "almost any size".

Best practice is to include a _subset_, generally more than one, that have global transit, as opposed to just regional peering, for the purpose you cite.  We're moving from ten global nodes to twenty, currently.

All nodes should be able to withstand a DDoS originating from the set of machines to which it's visible.  Globally-visible nodes must thus be able to withstand much larger DDoSes than nodes that are only visible through peering, to a limited set of machines.

> An attack could knock out every other node in the network, but the overall service would keep working because this node would remain up, handling all the traffic.

This is not correct.  A DDoS will not knock out all of the local nodes, because (a) things don't scale that way, and (b) it won't be able to reach all of the local nodes.  If anything, a large DDoS will knock out a too-small pool of globally-visible nodes, while many much smaller ones will remain up, serving their local constituencies.

> 20Gbps has been suggested as an appropriately fat pipe

We do 40, but yeah, 20 is better than less.

> This approach means that Anycast is only really being used for
> resilience and to improve response times…


> ...during normal operations, and that being able blackhole attack traffic is not a useful feature of Anycast.

…but I'm not sure where you're going with this part.  I think being able to drop attack traffic while answering valid queries is a central goal for any DNS system.  It's not a "feature of anycast" per se.

> Are there Anycast deployments out there that have supernodes like this?

All the mature ones have multiple supernodes like this.  They're generally called "global nodes," since they're distinguished by their global transit routing, rather than by being larger, although that's also true for many or most of them.

> Now that there are attacks as big as 300Gbps,
> could you ever rely on such a design to guarantee protection from DDoS
> attacks?

Do the math.

                                -Bill Woodcock
                                 Research Director
                                 Packet Clearing House

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130814/a44535f0/attachment.sig>

More information about the dns-operations mailing list