The DDOS attack on DYN & RRL ?

Barry Margolin barmar at alum.mit.edu
Mon Oct 31 16:09:51 UTC 2016 

In article <mailman.542.1477928257.74444.bind-users at lists.isc.org>,
 Jim Popovitch <jimpop at gmail.com> wrote:

> On Mon, Oct 31, 2016 at 11:27 AM, Matthew Seaman
> <m.seaman at infracaninophile.co.uk> wrote:
> > On 2016/10/31 14:53, Jim Popovitch wrote:
> >> On Mon, Oct 31, 2016 at 10:25 AM, Matthew Seaman
> >> <m.seaman at infracaninophile.co.uk> wrote:
> >>> This despite the fact that Dyn has a global anycast network with
> >>> plenty of bandwidth, points of presence all round the world and
> >>> each POP contains a bunch of top-of-the-line servers.
> >>
> >> It seems to me that anycast is probably much worse in the Mirai botnet
> >> scenario unless each node is pretty much as robust as a traditional
> >> unicast node.
> >
> > I couldn't really say whether unicast is more or less resistant to this
> > sort of attack -- I'd guess either way it would be down to the capacity
> > at each individual node.
> >
> > It was Dyn's USA POPs that bore the brunt of the attack, presumably
> > because most of the Mirai bots were located in the USA.  Even so, it
> > still caused us plenty of grief in Europe.  Apparently the effects were
> > fairly minimal in the Far East.
> >
> 
> That makes one wonder if the EU Anycast nodes are reliant on the USA
> node(s).  I have no insights (and even less DNS knowledge) but it
> makes one wonder if there's a fundamental design flaw in anycast DNS
> that relies on one or more nodes... is anycast DNS really just
> distributed cache DNS?

"Anycast" just means that a single public IP address is routed to 
different POPs depending on where the source is. So if you query 4.2.2.1 
or 8.8.8.8 from the US, you'll go to a US nameserver; if you query them 
from Europe, you'll go to a European server.

While 4.2.2.1 and 8.8.8.8 are caching DNS, the same can be done with 
authoritative DNS, and that's what was attacked in the Dyn case (I'm not 
even sure if Dyn offers caching DNS).

I heard that the impact of the attack was even narrower than just the 
US, it was mostly eastern US. That suggests some things about the 
granularity of Dyn's anycast network and the distribution of the Mirai 
botnet.

-- 
Barry Margolin
Arlington, MA

More information about the bind-users mailing list