Why global DDoS protection is essential for Anycast networks

2022-01-18 11:55

Anycast's advantages were understood in principle, but it took the DDoS attack in 2007 to shift the dial for DNS Anycast as big Content Delivery Networks, and top-level domain registrars adopted the technology at speed.

"For Anycast to work, you have to know how Internet global routing and BGP works. But we were DNS guys, not network guys. We had to learn it the hard way over several years. Even now, 50 per cent of the work at RcodeZero DNS is maintaining perfect global routing," agrees Darilion.

"Even using Anycast, you'll still get DDoS attacks. Of course, the more servers you have, the more you can handle attack traffic from small DDoS attacks. The problem is there are also big DDoS attacks. If you experience a one terabit DDoS then it doesn't matter if you have one server or a 100 servers, they will still be overloaded," says Darilion.

The lesson learned was that global DDoS protection is now essential for Anycast networks, hence the decision to start using Cloudflare's Magic Transit anti-DDoS service.

Enterprise customers have different priorities from TLDs and a growing number want DNS Anycast in conjunction with additional services such as DDoS mitigation.

"Ten years ago, Anycast was a new feature mentioned everywhere in our marketing. Now you don't mention Anycast because if you don't have Anycast it's not a good DNS service. Now it's become implicit. Most of the customers that come to us, stay with us."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/18/if_you_dont_have_anycast/

#ddos