Mitigating Denial-of-service Attacks
In denial-of-service attacks, a rogue network host may advertise itself as an anycast server for a vital network service, to provide false information or simply block service.
Anycast methodologies on the Internet may be exploited to distribute DDoS attacks and reduce their effectiveness: As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected. This may be a reason to deploy anycast addressing.
The effectiveness of this technique to divert attacks is questionable, however, because unicast addresses (used for maintenance) can be easy to obtain, at least on IPv6. RFC 2373 defines that "An anycast address must not be used as the source address of an IPv6 packet." Therefore, pinging an anycast address will return the unicast address of the closest node, since the reply must come from a unicast address. An attacker can then attack individual nodes from any location, bypassing anycast addressing methods. This same method works on some, but not all, IPv4 anycast addresses. RFC 2373 also restricted anycast IPv6 addresses to routers only. However, both of these restrictions were lifted in RFC 4291.
Authentication of anycast transmissions may solve this problem.
Read more about this topic: Anycast
Famous quotes containing the word attacks:
“Leadership does not always wear the harness of compromise. Once and again one of those great influences which we call a Cause arises in the midst of a nation. Men of strenuous minds and high ideals come forward.... The attacks they sustain are more cruel than the collision of arms.... Friends desert and despise them.... They stand alone and oftentimes are made bitter by their isolation.... They are doing nothing less than defy public opinion, and shall they convert it by blows. Yes.”
—Woodrow Wilson (1856–1924)