A first look at the adoption of BGP-based DDoS scrubbing services: A five-year longitudinal analysis

Contributors: Suzan Bayhan (University of Twente), Ralph Holz (University of Munster and University of Twente), Saeedeh Shokoohi (University of Waikato), Marinho Barcellos (University of Waikato), and Cristian Hesselman (SIDN Labs and University of Twente).

An Autonomous System (AS) can protect itself against DDoS attacks by rerouting incoming DDoS traffic through a 'DDoS scrubber', a process that is typically implemented using the Border Gateway Protocol (BGP). While BGP-based scrubbing is a useful service, its adoption on the global Internet is unknown. This lack of visibility hinders the ability to assess how effectively the Internet can mitigate large-scale DDoS attacks and maintain service availability for legitimate traffic. We therefore developed a methodology that sheds light on the adoption of the top five global BGP-based DDoS scrubbers from 2020 to 2024. This post is the summary of the paper we presented at the International Conference on Network and Service Management (CNSM'25).

DDoS scrubbing

Distributed Denial of Service (DDoS) scrubbing is a mechanism to mitigate DDoS attacks by diverting traffic toward scrubbers. The scrubber generally runs a globally distributed network of data centres so that it can mitigate a DDoS attack as closely as possible to the source, allowing only the legitimate traffic to reach the protected network. There are two types of DDoS scrubbing based on how traffic is diverted: DNS-based and BGP-based. DNS-based scrubbing is typically used to protect websites by redirecting traffic through changes to DNS records (CNAME or A records). BGP-based scrubbing, on the other hand, protects entire networks that host multiple services - such as databases, email, or IP telephony - and requires the customer to operate their own AS, referred to as the protected AS. In our work, we studied the deployment of BGP-based scrubbing services on the global Internet, which, to the best of our knowledge, is largely unexplored.

In BGP-based scrubbing, the protected AS connects to its scrubber using methods such as GREtunnels,direct connections, or peering arrangements (for example, through an Internet Exchange or data centre). The AS then advertises its routes to the scrubber using either BGP or static routing, with BGP generally preferred for its flexibility and simplified network management. Depending on the protection mode, the AS can either continuously announce its prefixes through the scrubber ('always-on' protection) or advertise them only during an attack ('on-demand' protection).

Why is knowing the adoption of BGP-based DDoS scrubbing important?

We believe insight into the adoption of BGP-based scrubbers is of interest to several audiences. For example, it would enable operators of ASes to select transit providers or peers that are using DDoS protection, which would increase the DDoS resilience of BGP paths. Another example is the MANRS+ Working Group, which aims to enhance routing security through stricter compliance and audits. They can use insights into the adoption of DDoS scrubbers for their 'DDoS Attack Prevention' metric, which tracks ASes using BGP-based DDoS protection. Also, national policymakers or network operator groups can use it to consider the adoption of DDoS protection services in their economy or community, respectively.

Understanding the working of BGP-based DDoS scrubbing

We focused on the global top five BGP-based scrubbers in the 2021 analysis of Forrester Wave Market Analysis : Akamai Prolexic, Cloudflare, Vercara (formerly Neustar), Imperva, and Radware. We did that because, to the best of our knowledge, there is no collated, comprehensive, and authoritative list of DDoS scrubbers.

To understand how these scrubbers work, we explored their documentation as well as that of three other scrubbers. We also analysed reports on historical scrubbing activities, including blogs (Kentik,ThousandEyes) and mailing lists. We validated our understanding of scrubbing mechanisms with operators from four scrubbers: NaWas, DDoS-Guard, Akamai, and Radware. We found that BGP-based scrubbing falls into two categories. One is that the scrubber appears as the upstream of a protected AS in BGP data, which leads to four different patterns in BGP data, as we explain in the following section. In the other way, a protected AS delegates the origination of its prefixes to the scrubber, which means that the scrubber appears as the origin AS in BGP data.

In our paper and in this blog, we focus on the model with the scrubber appearing as an upstream of a protected AS. We leave the second model (re-origination of a protected prefix) as future work.

Identifying protected prefixes and ASes using four BGP AS-PATH patterns

We analysed Routing Information Bases (RIBs) data collected by RIS and Routeviews collectors, on the first day of each month from 2020 to 2024. This monthly sampling approach helps our objective to provide an initial overview of the adoption of BGP-based DDoS scrubbing services by minimizing the volume of RIBs data to be processed.

We identified four patterns in which a scrubber AS number (ASN) appears as an upstream of a protected AS in the RIBs data, as shown in Table 1. The right column shows an example for each pattern for Radware's scrubber, whose ASN is 198949. For example, an AS-PATH following pattern 3 has the protected AS as the origin (AS28006), the scrubber AS as an upstream provider (AS198949, third position), and a sibling AS (AS26613) between them. The ASNs 28006 and 26613 belong to the same organization.

We did not consider pattern 4 because we were unable to conclude that the origin AS (AS15814 in the example in Table 1) is using a scrubber. Also, this pattern is very rare in our analysis (see Figure 1).

Growth of adoption rate of BGP-based DDoS scrubbers

Our longitudinal analysis in Figure 2 shows that the percentage of ASes using BGP-based protection has increased almost three times (from 0.7% to 2% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3% to 0.9% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6.

Service type analysis of BGP-based DDoS scrubbing

We classify ASes globally based on the services they offer, such as financial ASes, cloud ASes, and education ASes, using the Stanford ASdb dataset. We use 2021 data as it is the earliest available. We find that most of the protected ASes (1,295 out of a total of 1,730 protected ASes) belong to the following 9 categories: Finance, Health, Retail, Manufacturing, Cloud, Government, IT, ISP, and Education. Figure 3 shows that 7.04% of financial ASes (494 out of 7,021, as classified by ASdb) used a scrubber on 1 December 2024. Financial institutions have consistently led the use of BGP-based scrubbing adoption since 2021.

Summary and future work

We presented a first study into the adoption and characterization of BGP-based DDoS scrubbers globally in the period 2020-2024, based on a novel method that we developed to find protected ASes and prefixes. Our study uses the top five scrubbers worldwide. We show that 2% of ASes out of around 84k ASes and 0.9% of prefixes out of 1.4M prefixes that are globally routable use one of our chosen BGP-based DDoS scrubbing services as of 1 Dec 2024.

Our future work includes identifying protected ASes and prefixes where the scrubber appears as the origin ASN, providing DDoS protection for a network whose ASN is not visible in the AS-PATHS.

Shyam Krishna Khadka is a PhD student at the University of Twente, with interests in Internet routing security and Internet measurements. He has over a decade of experience in software development and network technologies across various companies.

This research received funding from the Dutch Research Council (NWO) as part of the projects CATRIN (NWA.1215.18.003) and UPIN (CS.004). CATRIN is part of NWO's National Research Agenda (NWA).

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.