relays.osirusoft.com
Iljitsch van Beijnum
iljitsch at muada.com
Wed Aug 27 15:02:50 UTC 2003
On woensdag, aug 27, 2003, at 13:54 Europe/Amsterdam, Matthew Sullivan
wrote:
> Someone has suggested 'anycasting' what do people (particually you
> Paul)
> think of using anycasting for a DNSbl? (- AS112 anyone?) I think it
> may
> work well... however I am a novice in terms of BGP... As far as I can
> tell it involves getting a portable address block (somone suggested
> anything less than a /24 would get filtered) and announcing it in
> various locations around the Net with local servers behind each of
> those
> announcements.... is this fundamentally correct?
I wouldn't recommend this. If you have two DNS servers on different
addresses, everyone can talk to #2 if #1 doesn't answer. If you anycast
them, everyone only gets to talk to one, and if that one has problems,
too bad, nothing to be done about that except wait until someone fixes
the problem or changes the BGP announcement. Also, the built-in DNS RTT
load balancing is much more sophisticated than BGP shortest path
selection.
I also have serious doubts about the wisdom of having the root servers
anycast for similar reasons but in this case the only alternative is
not increasing the number of servers as it's impossible to list the new
servers under an IP address of their own.
If the number of requests on your servers is the problem and not
bandwidth, you could install filters that only allow requests for known
users of the service. This means the attackers must first guess and
then spoof an address belonging to a registered user, which should take
much of the fun out of it. This sounds like a lot of work but you'd
have to do something like it anyway when you want to become a paid
service.
More information about the NANOG
mailing list