Theodore Ts'o wrote on 08/08/2021 23:40:
Which of the top5, 10, 100 sites on the Internet use anycast?
for starters, all the dns root servers. For content delivery, some of Cloudflare's content is delivered to end users using anycast on the front side. Are the DNS root servers top-5, top-10 or top-100 sites (asking for a friend)?
If Facebook, Amazon, Google, Wikipedia, etc., are using standard IPv4 and IPv6 endpoints and are *not* using anycast, and they have successly fielded defenses against DDOS's without using anycast, wouldn't that tend to blow a gigantic, gaping hole in your assertion?
It's the norm to build ddos defenses without anycast, but it has its place as a technology.
Otherwise: anycast is one of many tools in the box; rewriting the ipv6 flow label hurts ipv6 anycast when DDOS traffic sinkers use ECMP for load balancing; tcp anycast is a hack which works quite nicely for short-lived tcp sessions and barely at all for long-lived sessions (this is well-understood in network engineering circles).
@Tom your suggestions for tuning down the flow label rewriting aggression level sound reasonable.
Nick
