[dns-operations] Storm on the DNS

[Dave Warren]

On 2015-11-30 19:07, Song Linjian (Davey) wrote:
> One question. In the monitoring page the red block means unanswered 
> packets ratio >70%, right ? I wondering the root server instance in 
> that red region is up or down? if it is still up, the queries can not 
> be routed to other server where the the probes shows green. In that 
> case the merit of anycast dose not work.

To me, anycast does two things in terms of limiting the impact of an 
outage: in the case of a service outage it redirects traffic, but also, 
it limits the scope of an attack to a single node or region (or at 
least, dramatically raises the bar for a DDoS to cause an outage in 
multiple regions)

However, if an attack is of sufficient size that it takes down a single 
node, moving all of the traffic to another node will probably just take 
that node down too, leaving everyone in a worse position.

In the case of root servers, where users will probably just notice a 
slowdown as resolvers learn that a particular root server is unhealthy, 
it's probably better to just leave one (or even a small number) of root 
servers answering only a small percentage of traffic in one region so 
that other regions are unaffected.

It also makes me wonder how many large ISPs run their own root servers 
(or otherwise have the root zone available to their resolvers), in which 
case said providers would be immune to root server attacks -- Assuming 
the point was an attack on the root servers themselves, and not a 
reflection attack against another target.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren