The DDOS attack on DYN & RRL ?
Jim Popovitch
jimpop at gmail.com
Mon Oct 31 21:39:34 UTC 2016
On Mon, Oct 31, 2016 at 12:21 PM, Tony Finch <dot at dotat.at> wrote:
> Jim Popovitch <jimpop at gmail.com> wrote:
>>
>> It seems to me that anycast is probably much worse in the Mirai botnet
>> scenario unless each node is pretty much as robust as a traditional
>> unicast node.
>
> This blog post is a pretty good intro to how anycast can help with DDoS
> mitgation, though I think Cloudflare are overstating how unique they are -
> there are other older DNS services that distribute load over large anycast
> clouds of commodity hardware.
>
> https://blog.cloudflare.com/how-cloudflares-architecture-allows-us-to-scale-to-stop-the-largest-attacks/
>
Thanks for linking that Tony. The take-away that I get from that
article is that CF can deal with DDoS because of link capacity in each
POP, and/or re-route legitimate traffic via BGP. The principle
reason they can do this is because their main biz involves packets
larger than those traditionally seen with DNS. The comments in that
article mention 10 TB of capacity, how's that compare to any of the
capacities of the various DNS providers?
-Jim P.
More information about the bind-users
mailing list