On 8 Dec 2003, at 10:14, Dean Anderson wrote:
Also, anycasting doesn't work for TCP.
Would you care to elaborate on "doesn't work"?
I agree. It is easy to create a blackhole, or even a DDOS on an anycast
address. It is much harder to DDOS 600 IP addresses spread through some
200 countries.
It's arguably easier for a distributed attack to cause degrade the availability of a service bound to a unicast-reachable address than an anycast-reachable address. The former will tend to collect traffic along a progressively narrow funnel until congestion occurs; with an anycast target the pain is distributed over a set of funnels, and in general not all will experience the same degree (or any) pain, depending on the distribution and behaviour of the attacking nodes.
In a non-distributed attack anycast victims fare subtantially better (since non-select anycast targets are unaffected, and only suffer topological fallout from the node sinking the attack traffic).
Joe