With that thought process, an anycast network is only as it's most beefed up node. As the smaller nodes fail the one left standing will be what prevents the attack, not anycast.
i admit that this appears true on the surface... but if you dig into it you'll see that even a root name server with 10,000 direct 10GigE connections (one for every autonomous system in the internet) would still be vulnerable to congestion based attacks, since a congestion based attack is against OPN's (other people's networks) where even infinite point-source provisioning cannot help you.
well, thats practically true, but not theoretically true. the DNS is running just fine thank you. ddos attacks against OPNs is not an attack on the DNS per se, its on the clients in the OPN. trying to ensure that every client has reachability to a given server set - FROM the SERVER side - is ultimately an exercise in futility. Servers/operators can only take reasonable and prudent steps to try and ensure the service is generally available -- micro managing DNS availablity to a specific server set is the way to madness. Anycast is a way to make the service generally available to as many end-systems as want/need the service. So is multi-homing. ... long term, what is important is the view that there is a common namespace, not that there are special servers.
Can you explain to me how anycast would prevent this?
i knew, at the time i wrote the words "ddos resistant" in this thread, that at least one person would think i meant "ddos proof". in wristwatches, "water resistant" means you can shower or bathe while wearing the device, but only "water proof" means you can scuba dive with it. anycast makes a dns service more ddos resistant. nothing can make a dns service ddos proof.
little, in practice, can make a DNS service ddos proof. it can be done, but the side effects are worse than the cure. --bill (ducking back into the background)