mike@sentex.net (Mike Tancsa) writes:
... Still, I think the softest targets are the root name servers. I was glad to hear at the Toronto NANOG meeting that this was being looked into from a routing perspective. Not sure what is being done from a DoS perspective.
Now that we've seen enough years of experience from Genuity.orig, UltraDNS, Nominum, AS112, and {F,K}.root-servers.net, we're seriously talking about using anycast for the root server system. This is because a DDoS isn't just against the servers, but against the networks leading to them. Even if we provision for a trillion packets per second per root server, there is no way to get the whole Internet, which is full of Other People's Networks, provisioned at that level. Wide area anycast, dangerous though it can be, works around that. See www.as112.net for an example of how this might work. "More later." -- Paul Vixie