[Outages-discussion] NeuStar UltraDNS ? ** Why DDOS Neustar?

virendra rode virendra.rode at outages.org
Thu Jul 12 13:19:39 EDT 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/12/2012 09:01 AM, Patrick W. Gilmore wrote:
> On Jul 12, 2012, at 11:28 , Bill Woodcock wrote:
>> On Jul 12, 2012, at 8:04 AM, David Conrad wrote:
> 
>>> With an anycast deployment, it generally makes sense to deploy
>>> anycast instances close to eyeballs.  However, in a botnet
>>> attack, the sources of traffic are those eyeballs.  As a
>>> result, the anycast instances used by most folks are the ones
>>> that get hammered the hardest.
>> 
>> While that's true, the main benefit of broad anycast to DDoS
>> mitigation is that it's a lot cheaper to pay for ten 40gb
>> installations than one 400gb installation, for instance, and
>> you're much more likely to be able to balance load amongst them
>> than do any useful traffic engineering with only a single
>> location.
> 
> There are a lot of variables when building a "400 gb installation",
> so it is difficult to say whether it is cheaper or more expensive
> than 10x40.  For instance, it is cheaper to build 1x200 than 10x20
> for at least the type of "installation" we typically build.  But
> obviously others may see the opposite.
> 
> Either way, the rest of what Bill said rings more than true.
> Having 10 x 40 is much better for attack resiliency than 1x400.
> 
> Also, related to David's comments: The attacker almost certainly
> does not have bots in every eyeball network.  If China Telecom is
> attacking you and you have a widely distributed deployment, then
> only the node close to CT is affected.  The rest of the world
> doesn't know an attack is happening.  (There are many assumptions
> there, such as not dropping the announcement under attack, but I
> trust Rodney & his team to build a robust and intelligent
> topology.)
> 
- ---------------------
Correct and the reason why I initially brought up the question of
'anycast instance' because it appears they were impacted across
different locations w/ "local node" instance(s). For example, HK, LA
and NY nodes were affected unless I missed something. At the same time
I did notice route withdrawn from certain upstream peers.

Would love to see what Rodney & his team come up with from a lesson
learned standpoint. Then again, I'm not asking for secret sauce ;-)


regards,
/virendra

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk//BysACgkQ3HuimOHfh+EPjQD/euSeEgUdGf6G1pPvfC8yoNrI
53yTRpN1PrT6Z4PdOLAA/0b3XhjUn00l6TAVXsvWwu/eIAnTvCPdOaY9mANWQ+i6
=UgxT
-----END PGP SIGNATURE-----

More information about the Outages-discussion mailing list