The DDOS attack on DYN & RRL ?
barmar at alum.mit.edu
Mon Oct 31 16:09:51 UTC 2016
In article <mailman.542.1477928257.74444.bind-users at lists.isc.org>,
Jim Popovitch <jimpop at gmail.com> wrote:
> On Mon, Oct 31, 2016 at 11:27 AM, Matthew Seaman
> <m.seaman at infracaninophile.co.uk> wrote:
> > On 2016/10/31 14:53, Jim Popovitch wrote:
> >> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman
> >> <m.seaman at infracaninophile.co.uk> wrote:
> >>> This despite the fact that Dyn has a global anycast network with
> >>> plenty of bandwidth, points of presence all round the world and
> >>> each POP contains a bunch of top-of-the-line servers.
> >> It seems to me that anycast is probably much worse in the Mirai botnet
> >> scenario unless each node is pretty much as robust as a traditional
> >> unicast node.
> > I couldn't really say whether unicast is more or less resistant to this
> > sort of attack -- I'd guess either way it would be down to the capacity
> > at each individual node.
> > It was Dyn's USA POPs that bore the brunt of the attack, presumably
> > because most of the Mirai bots were located in the USA. Even so, it
> > still caused us plenty of grief in Europe. Apparently the effects were
> > fairly minimal in the Far East.
> That makes one wonder if the EU Anycast nodes are reliant on the USA
> node(s). I have no insights (and even less DNS knowledge) but it
> makes one wonder if there's a fundamental design flaw in anycast DNS
> that relies on one or more nodes... is anycast DNS really just
> distributed cache DNS?
"Anycast" just means that a single public IP address is routed to
different POPs depending on where the source is. So if you query 22.214.171.124
or 126.96.36.199 from the US, you'll go to a US nameserver; if you query them
from Europe, you'll go to a European server.
While 188.8.131.52 and 184.108.40.206 are caching DNS, the same can be done with
authoritative DNS, and that's what was attacked in the Dyn case (I'm not
even sure if Dyn offers caching DNS).
I heard that the impact of the attack was even narrower than just the
US, it was mostly eastern US. That suggests some things about the
granularity of Dyn's anycast network and the distribution of the Mirai
More information about the bind-users