network background popup

How to Monitor Anycast

Sep 28th 2013

What is Anycast?

Anycast is a routing configuration that takes the public IP address of a web service, such as a DNS or a website, and announces its reachability from more than one location. Normally, in a traditional routing configuration, the public IP address of the web service exists in only one location, thus users will end up using only this location.

Imagine a user in France wants to access a website that is hosted in Los Angeles. The traffic from this user travels from France, to Los Angeles, and then all the way back to France for every single request that is made. However, if the website was made available using an Anycast configuration, the user would have a range of nodes to chose from (London, New York City and Los Angeles). The path to the London node from the French user is much shorter— a quarter of a second (about 120ms each direction) is saved for each request and the site would end up loading seconds faster.

The addition of instances in geographically disperse locations provides a number of benefits:

  • Less latency and faster response time – Users communicate with the closest possible node, resulting in faster load times and a more satisfactory experience.
  • More nodes equals more capacity – Depending on the website’s user base, users can be balanced between multiple locations, increasing the maximum user capacity.
  • High availability – If an Anycast node fails or becomes unavailable, users can still reach the website from another node.
  • DDoS Mitigation – The majority of attacks to an Anycast network are distributed over the multiple nodes, weakening the attack, and aids in a websites’ DDoS protection.


Troubleshooting Anycast issues is simple and easy provided you know where the anycast nodes are, and can subsequently test from a vantage point close to each node. Users unable to reach an Anycast service can show their provider a network trace, which shows the path to the closest Anycast node. In this example we’ve performed trace to DOSarrest’s main site which follows a path to the closest Anycast node, which happens to be in New York.


Troubleshooting the user to website connection for immediate network layer issues such as packet loss and jitter can be done with the ping tool. Unfortunately, most providers have restricted this type of traffic. An alternative method is to perform a TCP-like ping using other tools such as nmap and hping which show similar results.


Anycast monitoring

Anycast service providers use a collection of distributed sensors to allow the monitoring of each Anycast node for problems. Depending on the service being offered, these sensors are configured to specifically watch for changes in normal operation. The deployment location of each sensor is important, and thus placed in close proximity to a node. The DOSarrest External Monitoring Service “DEMS” utilizes multiple sensors for each Anycast node in its Proxy Defense Network. Each website’s response, execution and transfer time is measured. Bad web response codes and content errors are all reported in real time to the 24×7 support team. More information about the DEMS and DOSarrest services can be found here:

Alex Pieczonka,

DOSarrest Security Operations Analyst

Added By : Alex Pieczonka

DDoS Article Categories