down sev0? - More information

Don don at
Thu Oct 26 13:24:09 UTC 2006

> As pointed out by Rob Seastrom in private email, RFC2182 addresses things
> of biblical proportions - such as dispersion of nameservers geographically
> and topologically. Having 3 secondaries, only one of them on separate /24,
> and none of them on topologically different network does not qualify. offered several models for DNS service including distributed 
anycast based services. Considering what I've heard about the scale of 
the attack I'm glad they chose not host their own domain name on the 
anycast networks- it simply would have taken more people down.

Some facts:
1. I've spoken with some AT&T engineers about what was going on. According 
to them this was (as mentioned earlier) a multi gigabit attack that came 
in through every peer on the AT&T network. Anycasting would not have fixed 
this problem- the attack was too large and too diverse. (I guess if they 
had 10 gige pipes and pops all over the planet- maybe. But that's not 
exactly a valid business model.)

2. These were not spoofed source addresses. This looks like a rather large 
botnet sending real traffic.

3. The attack was large enough to affect many other customers in the same 
data center- one with a lot of bandwidth off AT&T's backbone.

4. DNS is a tiny protocol. It's possible to send a LOT of small, but 
perfectly valid, DNS packets. The fact that the attack was multi gigabit 
per second is bad enough. Couple that with the packets all being really 
tiny and you have a recipe for routing disaster.

5. AT&T (at least when I've dealt with them in their datacenters) does not 
support BGP community strings for null routing (or any strings for that 
matter :) Think about that for a second. To stop an attack 
would need to call AT&T and request a filter/null route. Since AT&T 
operations is based in Singapore (again this was last time I dealt with 
them) I'm sure getting those filters/routes in probably doesn't happen 
nearly fast enough. I have heard that AT&T is currently in the process of 
setting up communities- maybe someone who knows more could comment.

The truth is that none of us has all the facts about what happened.

> Given that is/was public (I think?) - I wonder what are their
> sarbox auditors saying about it now ;) is not public (If I recall correctly they were bought out a 
couple of years ago by a private firm). Furthermore if they were public I 
would think their stockholders might have something to say about spending 
large sums of money to prevent a DDoS which probably would not work 


More information about the NANOG mailing list