[49550] in North American Network Operators' Group
Re: Internet vulnerabilities
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Jul 4 14:50:53 2002
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 04 Jul 2002 11:48:47 -0700
In-Reply-To: <5.1.0.14.0.20020704140443.03391470@marble.sentex.ca>
Errors-To: owner-nanog-outgoing@merit.edu
mike@sentex.net (Mike Tancsa) writes:
> ... Still, I think the softest targets are the root name servers. I was
> glad to hear at the Toronto NANOG meeting that this was being looked into
> from a routing perspective. Not sure what is being done from a DoS
> perspective.
Now that we've seen enough years of experience from Genuity.orig, UltraDNS,
Nominum, AS112, and {F,K}.root-servers.net, we're seriously talking about using
anycast for the root server system. This is because a DDoS isn't just against
the servers, but against the networks leading to them. Even if we provision
for a trillion packets per second per root server, there is no way to get
the whole Internet, which is full of Other People's Networks, provisioned at
that level. Wide area anycast, dangerous though it can be, works around that.
See www.as112.net for an example of how this might work. "More later."
--
Paul Vixie
