North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
On woensdag, aug 27, 2003, at 13:54 Europe/Amsterdam, Matthew Sullivan wrote:
Someone has suggested 'anycasting' what do people (particually you Paul)I wouldn't recommend this. If you have two DNS servers on different addresses, everyone can talk to #2 if #1 doesn't answer. If you anycast them, everyone only gets to talk to one, and if that one has problems, too bad, nothing to be done about that except wait until someone fixes the problem or changes the BGP announcement. Also, the built-in DNS RTT load balancing is much more sophisticated than BGP shortest path selection.
I also have serious doubts about the wisdom of having the root servers anycast for similar reasons but in this case the only alternative is not increasing the number of servers as it's impossible to list the new servers under an IP address of their own.
If the number of requests on your servers is the problem and not bandwidth, you could install filters that only allow requests for known users of the service. This means the attackers must first guess and then spoof an address belonging to a registered user, which should take much of the fun out of it. This sounds like a lot of work but you'd have to do something like it anyway when you want to become a paid service.