Hello,

I was reading -a lot- about anycast.

Seems fine but cannot imagine how wonderfully it may stop a ddos.

I need to be sure :
Where is the unique ip ? dns servers' or the (web)servers' ?

If the former, it is easy to grab a (web)server ip and then anycast is useless.
If the latter, then I can understand how it works and how it is useful. Same ip on all the servers : one cannot attack one server but many.

But what happens when a ddos is directed to the final ip address ? How anycast works in this case ?

I really think that dns servers servicing anycast have the list of all the relevant ip of the infrastructure and know where to transmit the packet with the lowest hops.

Could someone help me understand (I already read a lot but need to be reassured).

Bests,

Anycasting uses the concept of an IP address representing a service rather than a specific host. You can have a number of hosts advertising the same IP address because they all offer an identical service.

The point is that the network will find the topologically closest instance of this service to handle the user request.

Any particular user will always have one instance that is closest as measured by whatever routing protocol you are using, so no you couldn't attack more than one of these instances at a time from a single node.

With a Distributed DOS attack you obviously could, but then this is no more or less vulnerable than a single host. I've not read anywhere that anycasting is supposed to be a protection against DDoS anyway, where did you get this idea from?

Anycasting is basically used for the purposes of redundancy, load-balancing and network efficiency as far as I'm aware.

You are right,

Anycast is not actively against ddos.

It is a passive benefit.

Lot of big companies use anycast as a way to optimize network and "localize" ddos.

My concern was about where these ip are set up.

I think the solution is that anycast can be implemented at different levels dns, webservers..

And indeed, the security may be enhanced due to the forced localization of the attack.

Am I right ?

I agree, security is enhanced in as much as to break the service you have to break both locations of the service.

The IP's are actually configured on loopback addresses. So I have two routers in different locations, both configured with the same public IP address. When I advertise them into the internet via BGP the network now knows about both. If I target that IP with a tunnel and the main site goes down, BGP automatically "finds" the other instance thus rerouting the tunnel. The destination appears to BGP to have moved, when in fact its two different sites with the same IP.

A more usual example is that the company I work for has a DNS server at two sites. The DNS servers, on Redhat as it happens, both have an IP on a loopback interface. That IP is advertised via OSPF into the core network.

Any users at at site 1 will hit the server at site 1 as it is "closer" according to OSPF metrics. Likewise users at site 2 hit the site 2 server. If either dies then all traffic will hit the one thats left.

So its a generically useful concept.

I think you are right,

Many thanks for your clarifications baldy

See you,