Anycast 101

Paul_A_Vixie · December 20, 2004, 5:18pm

> but at that point, the only thing anycast would buy you is ddos
> resistance and the ability to have more than 13 physical
> servers... which is all the

Is that true? I'm failing to see how anycast helps expand a network's
DDoS survivability. At best a dumb attacker would attack the IP
address of the server and it would be distributed to all the
participating anycast nodes.

as it turns out, some attackers really are idiots, and it's considered
socially acceptable to pander to them even while also attempting to guard
against real attacks coming from experts.

What prevents the attacker to hit just a few nodes from the anycast
network to hurt percentages of the dns queries?

nothing, of course. but we like that the percentage isn't always 100%
(as it would be in the non-anycast case.)

Obviously health checking would prevent some of the problems but then
the attacker can just shift from site to site as the health checks
happen.

there are some million-bot drone armies out there. with enough attackers
you can just attack everything the defenders might try to use -- no need
to shift from site to site in response to anything.

With that thought process, an anycast network is only as it's most
beefed up node. As the smaller nodes fail the one left standing will
be what prevents the attack, not anycast.

i admit that this appears true on the surface... but if you dig into it
you'll see that even a root name server with 10,000 direct 10GigE
connections (one for every autonomous system in the internet) would
still be vulnerable to congestion based attacks, since a congestion
based attack is against OPN's (other people's networks) where even
infinite point-source provisioning cannot help you.

For an example, let's look at f.root:
f.root-servers.org is 204.152.187.7

that's .org not .net. f.-.org is just a web server. you want f.-.net.

If an attacker wanted to be violent and have complete disregard for
the anycast design, he/she would hit either each node independently
and at the same time hit the upstream routes of both nodes. That
would isolate each node from the anycast primary "VIP" of
204.152.187.7 and introduce problems into the design. Then, as those
sites were failed out, he/she would shift the attack to the current
operating sites.

an effective attack doesn't need to be nearly that subtle.

Eventually this cat and mouse would cause such a problem that the
saving grace of the anycast design would be the strongest node in the
cluster and the operators would have to fail each site in and out as
the attack shifted around.

i suppose that you could do it that way, if you wanted to be more artful.

If they were really violent they would include a randomized valid
query attack in the mix.

you mean they aren't?

Can you explain to me how anycast would prevent this?

i knew, at the time i wrote the words "ddos resistant" in this thread,
that at least one person would think i meant "ddos proof". in wristwatches,
"water resistant" means you can shower or bathe while wearing the device,
but only "water proof" means you can scuba dive with it. anycast makes a
dns service more ddos resistant. nothing can make a dns service ddos proof.

bill3 · December 20, 2004, 5:34pm

> With that thought process, an anycast network is only as it's most
> beefed up node. As the smaller nodes fail the one left standing will
> be what prevents the attack, not anycast.

i admit that this appears true on the surface... but if you dig into it
you'll see that even a root name server with 10,000 direct 10GigE
connections (one for every autonomous system in the internet) would
still be vulnerable to congestion based attacks, since a congestion
based attack is against OPN's (other people's networks) where even
infinite point-source provisioning cannot help you.

  well, thats practically true, but not theoretically true.
  the DNS is running just fine thank you. ddos attacks against
  OPNs is not an attack on the DNS per se, its on the clients in
  the OPN. trying to ensure that every client has reachability
  to a given server set - FROM the SERVER side - is ultimately
  an exercise in futility. Servers/operators can only take reasonable
  and prudent steps to try and ensure the service is generally available
  -- micro managing DNS availablity to a specific server set is the
  way to madness. Anycast is a way to make the service generally
  available to as many end-systems as want/need the service. So is
  multi-homing. ... long term, what is important is the view that
  there is a common namespace, not that there are special servers.

> Can you explain to me how anycast would prevent this?

i knew, at the time i wrote the words "ddos resistant" in this thread,
that at least one person would think i meant "ddos proof". in wristwatches,
"water resistant" means you can shower or bathe while wearing the device,
but only "water proof" means you can scuba dive with it. anycast makes a
dns service more ddos resistant. nothing can make a dns service ddos proof.

little, in practice, can make a DNS service ddos proof.
it can be done, but the side effects are worse than the cure.

--bill (ducking back into the background)

John_Kristoff4 · December 20, 2004, 6:09pm

I've heard that claim before, but I've yet to be convinced that those
making it were doing more than speculating. It is not unreasonable to
believe there are millions of bot drones, but that is not the same as
an army under a single or even coordinated control structure. It is
entirely possible to build armies of that size, but maintaining them
over any length of time is probably quite difficult. I'd of course be
interested to hear about any evidence to the contrary on or off list.

John

Gadi_Evron1 · December 20, 2004, 6:28pm

there are some million-bot drone armies out there. with enough attackers

I've heard that claim before, but I've yet to be convinced that those
making it were doing more than speculating. It is not unreasonable to
believe there are millions of bot drones, but that is not the same as
an army under a single or even coordinated control structure. It is
entirely possible to build armies of that size, but maintaining them
over any length of time is probably quite difficult. I'd of course be
interested to hear about any evidence to the contrary on or off list.

John

Not that it is really relevant to the original discussion, but here goes...

The biggest drone armies out there are at around 200K, currently. The bigger controllers/runners usually have drone armies of 50K - 80K size botnets.

Most botnets are between a hundred and 10K drones.

Today, in the Quakenet IRC network we see:
There are 66360 users and 153169 invisible on 42 servers

About a year ago that was about 50K users. Back then about 20K - 30K of those users were zombies.

IRC growth is a known thing, but it doesn't grow exponentially. People come and go, while other chat medias slowly eat at the IRC.

With such a growth, not taking into consideration hard facts (that I do have about several IRC networks, as there are a few big ones), and 1000 or so new malware a month (950 of which being Trojan horses that can be used for botnets, most of which are agobots, ircbots, spybots, etc. - IRC bots) one could assume, under the MOST restrictive terms that at least 80K users are drones.

Again - this is hardly the only IRC network out there.
Not all drone armies are run via IRC.
And finally, there are many drone armies running on *private* IRC servers much like anonymous FTP's are being used to hold warez.

Also note (although this is rather shaky as "fact"), that most IRC clients set the user's mode to +i (invisible) by default. Draw your own conclusions from the numbers above.

As to actual facts.. off list if you will be interested, and once I know you better.

Gadi.