Internet vulnerabilities

Paul Vixie vixie at vix.com
Thu Jul 4 18:48:47 UTC 2002


mike at sentex.net (Mike Tancsa) writes:

> ...  Still, I think the softest targets are the root name servers.  I was
> glad to hear at the Toronto NANOG meeting that this was being looked into
> from a routing perspective.  Not sure what is being done from a DoS
> perspective.

Now that we've seen enough years of experience from Genuity.orig, UltraDNS,
Nominum, AS112, and {F,K}.root-servers.net, we're seriously talking about using
anycast for the root server system.  This is because a DDoS isn't just against
the servers, but against the networks leading to them.  Even if we provision
for a trillion packets per second per root server, there is no way to get
the whole Internet, which is full of Other People's Networks, provisioned at
that level.  Wide area anycast, dangerous though it can be, works around that.

See www.as112.net for an example of how this might work.  "More later."
-- 
Paul Vixie



More information about the NANOG mailing list