Anycast
Anycast advertises the same IP address from many physical locations at once and lets the routing system deliver each client to whichever location is closest. One address, dozens of datacenters: a client opens a connection to 1.1.1.1 and the network silently steers it to the nearest of hundreds of sites announcing that prefix. There is no special anycast protocol — it is ordinary BGP, with many ASes (or many sites in one AS) originating the identical prefix.
This makes anycast the backbone of resilient internet infrastructure: the DNS root servers, public resolvers like 8.8.8.8 and 1.1.1.1, CDN edges, and large-scale DDoS absorption all run on it. Geography, load distribution, and failover are handled by the routing fabric itself rather than by any application logic — which is its strength and, for stateful traffic, its sharpest edge.
announce 1.1.1.1
selection
per client
⇒ failover
The Anycast Model
The mechanism is deliberately plain. The same prefix is announced from every site over BGP, so every router on the internet ends up with a route toward whichever origin its own path selection prefers — and by BGP's logic, that is usually the topologically nearest one. A packet to the anycast address follows that route and lands at one site; a packet from a different part of the internet, following its own router's best path, lands at a different site. The address is shared; the destination is whoever is closest in routing terms.
Failover falls out of the same machinery. If a site goes down and stops announcing the prefix, BGP withdraws that route and every affected client is simply routed to the next-nearest site that is still announcing. No DNS change, no client reconfiguration — the routing table reconverges and traffic moves. This is why withdrawal speed equals failover speed: how fast the dead site's announcement is pulled determines how fast clients shift away.
Stateless and Short Flows
Anycast shines for stateless or very short interactions, which is exactly what DNS is. A DNS query over UDP is one packet out and one packet back; whichever site answers, the transaction is complete before routing has any chance to change underneath it. There is no session to preserve, so it does not matter that the next query might land at a different site — every query is independent and self-contained.
CDN edges lean on the same property for the request-routing layer: an anycast address gets the client to a nearby edge fast, and the edge then serves cached content or hands off to a more specific backend. The pattern works because the steering decision is made per-connection and the work each site does is largely independent — anycast handles "get the client somewhere near," and the application handles the rest.
Anycast and TCP
Long-lived stateful flows are where anycast gets dangerous. A TCP connection is state pinned to one endpoint, but anycast makes no promise that every packet of a flow reaches the same site — it promises only that each packet reaches the routing-nearest site at that moment. If the path shifts mid-connection (a BGP reconvergence, a link change, load balancing across equal paths), later packets can arrive at a different site that has no record of the connection, and it resets — the flow snaps.
In practice anycast TCP works most of the time because routes are usually stable for the seconds a short HTTP request lasts, and operators add safeguards: keeping flows short, using consistent-hashing load balancers behind the anycast address, or pinning a session to a unicast address after an initial anycast handshake. The caveat stands — anycast steers packets, not connections, so anything that must outlive a route change needs help to stay on one site.
# the same address answers from different sites depending on where you are # a Hostname CHAOS query reveals which physical node served you dig @1.1.1.1 +short CH TXT id.server # "SEA" <- from Seattle: routed to the nearest anycast site # run from another region and the same address answers from another node
DDoS Absorption
Anycast turns geographic spread into a defense. A volumetric DDoS attack against an anycast address does not converge on one datacenter — each attacking source is routed to its nearest site, so the flood is automatically split across every location announcing the prefix. An attack that would saturate a single site is divided across dozens, and each site only has to survive the slice of traffic that its region's routing sends it.
This is why large DNS and CDN operators run anycast across hundreds of sites: the same routing that puts users near content also disperses attackers near nothing in particular. The attack's own distribution becomes the network's load balancer, and the defender's job shrinks from absorbing the whole flood to absorbing the largest single regional fraction of it.
Anycast steers at the routing layer: one IP announced from many sites, BGP picks the closest, failover is automatic when a site withdraws. Choose it for stateless or short flows — DNS, CDN edge entry, DDoS absorption — where per-packet steering is fine. Unicast is one address, one site: simple and stable, with state never at risk, but no built-in geographic distribution or failover.
GeoDNS steers at the DNS layer: it hands different clients different unicast addresses based on resolver location, so each client then holds a fixed endpoint for the whole session. Choose GeoDNS when flows are long-lived and must stay on one site; its failover is slower (bounded by DNS TTLs) but it never reroutes a live connection mid-flight the way anycast can.
- Anycasting a stateful TCP service with no session affinity. A mid-flow reroute lands later packets at a site that never saw the handshake, and it resets the connection — the flow snaps with no obvious cause in the application logs.
- Assuming anycast delivers the geographically closest site. It delivers the BGP-closest one, which can be a different continent if peering and path policy say so — proximity in routing is not proximity in miles.
- Ignoring that withdrawal speed sets failover speed. A dead site that keeps announcing its prefix (a stuck BGP session, no health check tied to the announcement) keeps drawing clients into a black hole until the route is finally pulled.
- Running long downloads or persistent connections straight over an anycast address. The longer the flow, the higher the chance a route change moves it to a fresh site mid-transfer and breaks it partway through.
- Treating anycast as a load balancer you can tune. You do not control the split — BGP path selection across the internet does — so one site can receive far more traffic than another with no knob to even it out directly.
- Reserve anycast for stateless or short request-response traffic like DNS and CDN edge entry, where each transaction completes before any route change can move it to another site.
- Tie each site's BGP announcement to a health check so a failing site withdraws its prefix immediately, since failover is only as fast as the withdrawal that triggers it.
- Add session affinity behind the anycast address — consistent-hashing load balancers or a unicast pin after the handshake — for any TCP service that must survive a mid-flow reroute.
- Spread anycast sites widely to absorb DDoS by dispersing attackers to their nearest node, so no single datacenter takes more than its regional fraction of a volumetric flood.
- Reach for GeoDNS instead of anycast when flows are long-lived and must stay pinned to one site, accepting TTL-bound failover in exchange for never rerouting a live connection.
Knowledge Check
Why is DNS such a natural fit for anycast?
- A query is a stateless one-shot exchange that finishes before routing can change
- DNS traffic is encrypted, so it is safe to route across many sites
- Each resolver is permanently pinned to one anycast server for all of its future queries
- DNS responses are large, so spreading them across sites saves bandwidth
What is the core caveat when running a long-lived TCP service over an anycast address?
- A route change mid-flow can send packets to a different site, which resets the connection
- The payload is silently corrupted each time the connection happens to cross over to a new site
- Every packet must travel to all sites at once, multiplying the latency
- Anycast caps each address at one TCP connection at a time per site
How does anycast help absorb a volumetric DDoS attack?
- Each attack source is routed to its nearest site, spreading the flood across all of them
- It inspects each packet individually and drops the attack traffic before it ever reaches a site
- It funnels all attack traffic to one hardened site built to take the load
- It reflects the attack traffic back toward the original sources to absorb it
You got correct