To:
Bill Woodcock <woody@pch.net>
CC:
Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Wed, 30 Oct 2002 09:12:59 +0859 ()
In-Reply-To:
<Pine.GSO.4.44.0210291139590.22429-100000@paixhost.pch.net> fromBill Woodcock at "Oct 29, 2002 11:42:19 am"
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
Bill; > > anycast will not prevent DoS attacks. > > Correct. It will merely sink attacks at the nearest instance. It is effective protection (perhaps, the only effective protection) against DDoS. Once it is recognized by attackers, there will be no further DoS that DoS attacks are prevented. > This is > not particularly useful until there are a _lot_ of instances. Note that my scheme allows for millions of instances. > For > instance, if every major carrier ran instances near their customer edges, > then all attacks would be sunk before they left any of those carriers, or > before they even affected those carrier's internal backbones. That would > be ideal, since it would localize the pain in the same locality as the > fault. First, running anycast root servers is still a protection from inter-carrier DDoS. Second, note that not only carriers but also customers can run their own root servers. Then, customers are protected from DoS attack on carriers' root servers. Carriers are protected from DoS attack on customers' root servers. > However, we're presumably quite a long ways away from being there. We are already here. Masataka Ohta #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.