[Outages-discussion] NeuStar UltraDNS ? ** Why DDOS Neustar?

[Patrick W. Gilmore]

On Jul 12, 2012, at 11:28 , Bill Woodcock wrote:
> On Jul 12, 2012, at 8:04 AM, David Conrad wrote:

>> With an anycast deployment, it generally makes sense to deploy anycast instances close to eyeballs.  However, in a botnet attack, the sources of traffic are those eyeballs.  As a result, the anycast instances used by most folks are the ones that get hammered the hardest.
> 
> While that's true, the main benefit of broad anycast to DDoS mitigation is that it's a lot cheaper to pay for ten 40gb installations than one 400gb installation, for instance, and you're much more likely to be able to balance load amongst them than do any useful traffic engineering with only a single location.

There are a lot of variables when building a "400 gb installation", so it is difficult to say whether it is cheaper or more expensive than 10x40.  For instance, it is cheaper to build 1x200 than 10x20 for at least the type of "installation" we typically build.  But obviously others may see the opposite.

Either way, the rest of what Bill said rings more than true.  Having 10 x 40 is much better for attack resiliency than 1x400.

Also, related to David's comments: The attacker almost certainly does not have bots in every eyeball network.  If China Telecom is attacking you and you have a widely distributed deployment, then only the node close to CT is affected.  The rest of the world doesn't know an attack is happening.  (There are many assumptions there, such as not dropping the announcement under attack, but I trust Rodney & his team to build a robust and intelligent topology.)

-- 
TTFN,
patrick