> >> Does that imply that you believe no TCP-based protocol deserves > >> protection from DDoS attacks? Because anycast is ultimately the one and > >> the only basement for that protection. > >> > > ?? I had better get me to a patent lawyer then because I have multiple > > DDoS protection ideas and none involve ANYCAST and only a few TCP. > > > > Either that, or you might want to test your ideas against the specialized > field expertise. > > Anycast has been the ultimate DDoS mitigation tool for a decade already, > and for a reason. Basically, it all comes down to a simple idea: DDoS > traffic, generated in thousands of locations on the globe, cannot possibly > be handled when accumulated in one of such locations. But it's surely more > complicated than that. If you have an established TCP flow, and there is a DDOS which kills a particular endpoint, replicating all TCP state across dozens of location across the globe for hundreds of thousands of TCP connections per second, such that an Anycast endpoint could be redirected from say, Hong Kong to Singapore or Australia, is simply not practical. Quoting RFC 7094: Most stateful transport protocols (e.g., TCP), without modification, do not understand the properties of anycast; hence, they will fail probabilistically, but possibly catastrophically, when using anycast addresses in the presence of "normal" routing dynamics. Specifically, if datagrams associated with a given active transaction are routed to a new anycasted end system and that end system lacks state data associated with the active transaction, the session will be reset; hence, it will need to be reinitiated. > Either you have multiple traffic termination points on the net (a.k.a. > anycast), each as close to some traffic generation point as possible, or > you'll end up having capacity overload around your last mile. This is > fundamental, kind of. Sure, and using UDP with Anycast (DNS, QUIC) works quite well in DDOS solutions. But the fact that *any* stateful protocol (such as TCP) is not compatible with Anycast across the global internet without making modifications is *also* fundamental. The changes in Linux five years ago may have made certain broken architecures more likely to fail. The reason why no some seems to care is because those were broken designs in the first place, which RFC-7094 warns against, and there are plenty companies of which are actively solving the DDOS problem for thier customers --- with many of these companies using modern Linux kernels and Anycast, without the problems cited by the original poster in this thread. - Ted
