[Outages-discussion] [outages] NeuStar UltraDNS ? ** Why DDOS Neustar?

[David Conrad]

On Jul 12, 2012, at 8:28 AM, Bill Woodcock wrote:
> On Jul 12, 2012, at 8:04 AM, David Conrad wrote:
>> With an anycast deployment, it generally makes sense to deploy anycast instances close to eyeballs.  However, in a botnet attack, the sources of traffic are those eyeballs.  As a result, the anycast instances used by most folks are the ones that get hammered the hardest.
> 
> While that's true, the main benefit of broad anycast to DDoS mitigation is that it's a lot cheaper to pay for ten 40gb installations than one 400gb installation, for instance, and you're much more likely to be able to balance load amongst them than do any useful traffic engineering with only a single location.

Yes, but I was responding to was:

>>> What I like to understand is, being heavily anycasted did this outage impact several anycast instances?

Anycast in and of itself does not distribute load evenly. If it was a botnet attack, I suspect it is pretty much guaranteed that the outage would impact several instances (the ones network topologically closest to the highest density of bots). When that impact is detected, network engineers can then work to mitigate the attack via traffic engineering/blackholing/rate limiting/etc, but it is after the fact.

Regards,
-drc