Networking

Anycast

Multiple servers announce the same /24 — BGP routes each user to the closest

Anycast is a network-addressing technique where multiple servers in different geographic locations advertise the same IP prefix via BGP. The Internet's routing layer naturally delivers each user's packets to the topologically closest instance. Used for DNS root servers (the 13 root letters each have 1000+ anycast instances globally — at least 1500 anycast nodes for the root system), CDN edge IPs, public DNS resolvers (1.1.1.1 from Cloudflare, 8.8.8.8 from Google), and DDoS absorption. Compared to unicast (one IP, one server), anycast trades some routing precision for automatic failover (a dead PoP withdraws its BGP announcement) and load balancing — but stateful protocols (TCP, TLS) need careful handling because the routing path can shift mid-connection.

DNS root anycast nodes~1500 globally
Cloudflare 1.1.1.1anycast
Google 8.8.8.8anycast
UDP-friendlyyes
TCP-friendlyneeds care
Failure handlingBGP withdrawal

Interactive visualization

Press play, or step through manually. The visualization is yours to drive — try it before reading on.

Open visualization fullscreen ↗

Watch the 60-second explainer

A condensed visual walkthrough — narrated, captioned, under a minute.

How anycast actually delivers packets

The default Internet addressing model is unicast: one IP belongs to one server, and routing tables list exactly one path to that IP. Anycast breaks the assumption. Many servers share the same IP, and each one independently announces the prefix containing that IP into BGP. The global routing table now contains many paths to the same prefix, originating from different ASes or different points in the same AS.

BGP's path-vector selection silently does the work: each router picks its single best path to the prefix using the standard tiebreakers (LOCAL_PREF, AS_PATH length, MED, IGP cost). The result is that every router on the Internet has chosen one anycast instance as its destination — the one closest to it by routing policy. A user in Berlin sees Frankfurt; a user in Sydney sees the Sydney instance; nobody changed any DNS.

The four addressing models compared

Model	One IP maps to	Used for	Routing
Unicast	One server	Default Internet — every web server	One best path
Multicast	Subscribed group	IPTV inside ISPs, financial market data, IPv6 ND	Tree of receivers
Broadcast	Every host on a subnet	ARP, DHCP discovery (link-local only)	Subnet flood
Anycast	The closest of N servers	DNS roots, public resolvers, CDN edges	BGP picks one

How operators announce an anycast prefix

Two requirements. First, the operator must own (or be authorized to announce) an IP prefix — typically a /24 for IPv4 (the smallest globally-accepted route) or /48 for IPv6. Second, the same prefix must be announced from every PoP that participates.

Inside one AS, this is straightforward: each PoP's router originates the same prefix into iBGP and eBGP, and the operator ensures the upstream peers accept and propagate the announcement. The BGP best-path selection at each remote AS handles the rest — there is no central directory of "which PoP serves which user."

# Example FRRouting config — announce 192.0.2.0/24 from this PoP
router bgp 65001
  network 192.0.2.0/24
  neighbor 198.51.100.1 remote-as 65000
  neighbor 198.51.100.1 prefix-list ANYCAST out
!
ip prefix-list ANYCAST permit 192.0.2.0/24

# Verify the announcement is being seen at a public looking glass
$ curl -s 'https://stat.ripe.net/data/looking-glass/data.json?resource=192.0.2.0/24' | jq

DNS root servers — the canonical anycast deployment

The 13 root server letters (A through M) serve every uncached lookup for top-level domains. As of 2026 the system handles roughly 1.5 trillion queries per day. No single machine could absorb that, so each letter is a cluster of hundreds of identical anycast servers:

Letter	Operator	Approximate anycast instances
A	Verisign	120+
F	Internet Systems Consortium (ISC)	250+
K	RIPE NCC	100+
L	ICANN	200+
...	...	...
Total	12 organizations	~1500 (root-servers.org)

An additional benefit: the 13-letter limit was a UDP DNS packet-size constraint from the 1980s, not a count of physical servers. Anycast removes the scaling concern entirely.

Public resolvers and the rise of 1.1.1.1

Cloudflare's 1.1.1.1 (launched 2018) is announced from every Cloudflare PoP. A user in Mumbai querying 1.1.1.1 reaches the Mumbai PoP; a user in São Paulo reaches São Paulo — same IP, dramatically different physical machines. Median resolution latency for 1.1.1.1 is 8-15 ms globally. Google's 8.8.8.8 (launched 2009) and Quad9's 9.9.9.9 use the same model.

Public resolver	Operator	Anycast PoPs	Notable feature
1.1.1.1	Cloudflare	300+	Privacy-first, no-logs claim
8.8.8.8	Google	large	EDNS Client Subnet support
9.9.9.9	Quad9	200+	Threat-blocking by default
208.67.222.222	OpenDNS / Cisco	large	Family-safe categories

TCP and TLS — the careful part

Anycast is trivially safe for stateless protocols. UDP DNS sends one query, gets one response — even if the next query lands on a different node, both nodes have the same authoritative answer.

Stateful protocols are harder. A TCP connection involves sequence numbers, window state, and TLS keys held only by the originating server. If BGP routes shift mid-flight, packets land on a node that has no memory of the connection and replies with RST. Real-world risks:

Peering changes. A transit provider drops a session; routes withdraw and re-converge. Connections moving across the boundary die.
Backbone reroutes. An MPLS path reconverges inside a Tier-1; the egress interface for a destination changes; a different anycast PoP becomes closest.
Anycast at the edge of the AS. The user is hashed to a different egress interface by the customer's ECMP router, even within one PoP — internally this is multipath unicast, but if PoPs share a frontend layer it can have similar effects.

Empirical Cloudflare data shows ~99.5% of TCP connections stay on a single anycast PoP for their lifetime. Long-lived sessions (WebSockets, RTMP, HTTP/3 pings) are more exposed and benefit from connection migration features — QUIC's built-in connection ID is partly motivated by this problem.

Failover via BGP withdrawal

One of anycast's biggest operational wins: failover is automatic. When a PoP goes offline, its BGP daemon stops sending KEEPALIVEs to its upstream and the session times out — typically within 30-180 seconds. The upstream withdraws the prefix toward the rest of the Internet, and BGP best-path selection on every other AS picks the next-closest PoP automatically.

For faster failover, operators use BFD (Bidirectional Forwarding Detection, RFC 5880), which detects link death in 50-300 ms by exchanging UDP probes, and tear down the BGP session immediately. With BFD plus anycast, traffic shifts from a dead PoP to its peers in well under a second.

DDoS absorption

An anycast deployment naturally distributes inbound attack traffic. Suppose attackers fire 1 Tbps from a botnet of 100,000 hosts. Each bot's traffic follows BGP toward the destination IP, but each bot's "closest" PoP differs. The 1 Tbps gets fragmented across hundreds of PoPs — perhaps 3-5 Gbps per PoP — well within a single PoP's capacity to filter and drop.

Cloudflare publicly claims 248 Tbps of distributed mitigation capacity. AWS Shield Advanced sits behind CloudFront's anycast layer and offers similar dispersion. The defender gets a multiplier: the attacker has to find more, geographically diverse bots to overwhelm any single PoP.

Verifying anycast from your laptop

# Which PoP is 1.1.1.1 from your network?
curl https://1.1.1.1/cdn-cgi/trace
# Output:
#   ip=...
#   colo=FRA   <-- Frankfurt
#   loc=DE

# Same query from a different network may return a different colo
ssh aws-tokyo "curl -s https://1.1.1.1/cdn-cgi/trace | grep colo"
# colo=NRT

# Trace to see the AS path
mtr --aslookup --report --report-cycles 5 1.1.1.1

# Check anycast announcements at RIPE RIS
curl -s 'https://stat.ripe.net/data/announced-prefixes/data.json?resource=AS13335' | jq '.data.prefixes[] | select(.prefix == "1.1.1.0/24")'

# DNS chaos query — see which root instance you actually hit
dig @a.root-servers.net hostname.bind chaos txt
# returns identifier of the specific physical instance

Why anycast matters

Latency. Replace a 200 ms transcontinental path with a 10 ms regional one without changing anything client-side.
Failover. A dead PoP withdraws its announcement; traffic shifts in seconds. No manual DNS changes, no TTL waits.
DDoS absorption. Botnet traffic disperses across the operator's entire footprint; the per-PoP load stays manageable.
Scalable DNS. The 13 root letters serve trillions of queries via 1500 physical instances; without anycast the model would have collapsed in the 1990s.
Public resolvers. 1.1.1.1, 8.8.8.8, 9.9.9.9 — one IP, many physical answers, low latency for everyone.
Operational simplicity. One IP, one cert, one config; BGP does the hard part.

Common misconceptions

"Round-trip ping doesn't lie." Anycast IPs can take asymmetric paths — outbound to PoP A, inbound from PoP B if return routing differs. Ping RTT only tells you the closer of the two.
"TCP doesn't work." TCP works fine if BGP is stable; most production CDNs run anycast TCP at scale. The risk is route changes mid-connection, not anycast itself.
"Anycast is just magic load balancing." Granularity is BGP-table size — typically per-AS or per-prefix. You can't anycast at per-request granularity; that's L7 load balancing.
"All public IPs can be anycasted." You need to own the prefix and have the routing relationships to announce it from multiple ASes (or one AS with many transit providers). Random VMs cannot do anycast.
"Source IP tells you where the user is." Yes, but the destination IP (the anycast IP) tells you nothing about where they connected — every anycast user sees the same destination.
"Anycast equals geo-routing." BGP picks by AS-path length and policy, not geography. A user in Tokyo can end up routed to Singapore if Singapore is closer in BGP terms.
"Anycast is rare." Almost every major CDN, every public DNS resolver, and the entire DNS root system run on anycast. It is one of the most-used techniques on the modern Internet.

Frequently asked questions

How does anycast differ from load balancing?

Load balancing distributes requests within a known set of backends behind a single front-end IP — the load balancer is itself a unicast destination, then it picks a backend (round-robin, least-connections, hash). Anycast distributes the front-end itself: many servers share one IP and BGP picks which physical node receives each packet. Anycast's granularity is BGP-table-sized (per-AS or per-prefix); load-balancer granularity is per-request. Anycast often sits in front of a load balancer at each PoP.

Why does anycast work for UDP but need care for TCP?

UDP is stateless: each datagram is independent, so it does not matter if successive packets reach different anycast nodes — DNS query and DNS response are usually a single round trip. TCP is stateful: the SYN, SYN-ACK, and subsequent data have to reach the same node because each side holds sequence numbers, congestion windows, and TLS state. If BGP changes mid-connection (a peering link drops, MPLS reroutes), the new node receives a packet for an unknown connection and responds with RST. Mitigations: stable BGP (announce same prefixes from same upstreams), session-level fallback, or Layer-7 reconnect logic.

What happens if BGP routes change mid-TCP-connection?

Two outcomes. (1) Connection breaks — the new anycast node receives an out-of-state packet and sends RST. The client gets a connection-reset error and has to reconnect. (2) State sync — some operators replicate TCP state across nearby PoPs (Cloudflare's BinaryEdge, Fastly's gossip layer) so the new node knows the connection. In practice, BGP within an AS is stable enough that mid-connection moves are rare; ~99.5% of TCP flows complete on a single anycast node according to Cloudflare measurements. Long-lived connections (WebSockets, HTTP/3) are more vulnerable.

How do CDNs use anycast vs DNS-based routing?

Cloudflare and Fastly are anycast-first: every PoP announces the same IP for the customer's domain; BGP picks the PoP. Akamai (classic) and AWS CloudFront are DNS-first: the authoritative DNS server returns a different IP per client based on geo lookup. Anycast is simpler to operate (one IP, one cert, BGP does the work) and faster to fail over (withdraw the prefix, traffic shifts in seconds). DNS routing gives finer granularity (per-resolver geographic targeting via EDNS Client Subnet) and works behind networks that mishandle anycast. Modern hybrids use DNS to pick a region, anycast to pick a PoP within the region.

Why are root DNS servers anycast?

The 13 root server letters (A through M) are operated by 12 organizations and serve every authoritative DNS query for top-level domains. With ~1.5 trillion daily queries globally, no single physical server could handle the load — so each letter is an anycast cluster of hundreds of identical servers across the world. As of 2026, the root system has roughly 1,500 anycast instances. A query from Tokyo and a query from London each reach 'the root' in 5-10 ms because BGP delivers to the closest physical instance. The model also makes the system DDoS-resistant — taking down one instance just shifts load to peers.

How does anycast absorb DDoS attacks?

A 1 Tbps attack against a single IP would saturate any link. With anycast, the same destination IP is announced from hundreds of PoPs; BGP delivers attack traffic to whichever PoP is closest to each attacker. A geographically-distributed botnet ends up dispersed across the entire CDN footprint, and no single PoP sees more than its slice. The attack capacity scales with the defender's PoP count. Cloudflare publicly claims 248+ Tbps of mitigation capacity by combining anycast distribution with per-PoP scrubbing.

What is unicast vs multicast vs anycast?

Unicast: one IP, one server, one-to-one delivery — the default model on the Internet. Multicast: one IP, many recipients, one-to-many delivery — the sender emits one packet, the network duplicates it to every subscriber (used inside data centers and IPTV but rare on the public Internet). Anycast: one IP, many servers, one-to-nearest delivery — the network picks one recipient based on routing topology. Broadcast (one IP, every host on a subnet) is the fourth, mostly historical.