On 8 Dec 2003, at 10:14, Dean Anderson wrote:
Also, anycasting doesn't work for TCP.
Would you care to elaborate on "doesn't work"?
I agree. It is easy to create a blackhole, or even a DDOS on an
anycast
address. It is much harder to DDOS 600 IP addresses spread through
some
200 countries.
It's arguably easier for a distributed attack to cause degrade the
availability of a service bound to a unicast-reachable address than an
anycast-reachable address. The former will tend to collect traffic
along a progressively narrow funnel until congestion occurs; with an
anycast target the pain is distributed over a set of funnels, and in
general not all will experience the same degree (or any) pain,
depending on the distribution and behaviour of the attacking nodes.
In a non-distributed attack anycast victims fare subtantially better
(since non-select anycast targets are unaffected, and only suffer
topological fallout from the node sinking the attack traffic).
Joe