DDoS scrubbing data proves on-demand is dead
Always-on scrubbing now dominates the environment, eclipsing reactive on-demand models according to April 2026 research by APNIC. APNIC's detecting and characterizing ddos scrubbing from ... This shift confirms that modern network defense has fundamentally abandoned sporadic, attack-triggered responses in favor of continuous proactive protection. The era of waiting for an alert before diverting traffic is effectively over for major autonomous systems.
Shyam Krishna Khadka's analysis of global BGP routing data reveals that leading providers like Cloudflare and Akamai Prolexic increasingly maintain permanent upstream positions rather than dynamically appearing only during crises. By examining five-minute BGP update intervals, the study distinguishes between origin-change and upstream-change mechanics, proving that static routing configurations offer superior durability against volumetric floods. This data-driven approach exposes how these entities filter malicious packets while keeping legitimate flows intact without the latency penalties of activation delays.
Readers will learn the specific architectural differences between always-on and on-demand scrubbing modes through concrete routing examples. The discussion details operational strategies for identifying these behaviors using public BGP data, specifically looking at how protected ASes hand off prefix origination. Finally, the article breaks down the distinct roles of market leaders including Vercara, Imperva, and Radware, demonstrating why their transition to persistent path presence represents the new standard for DDoS mitigation.
The Role of DDoS Scrubbing in Modern Network Defense
DDoS Scrubbing Mechanisms: Always-On vs On-Demand BGP Modes
DDoS scrubbing diverts traffic to specialized infrastructure, a definition data shows is standard for mitigating attack volume. This mechanism filters malicious packets before forwarding clean traffic to the protected Autonomous System. Detection systems combine BGP RIB snapshots with real-time updates; according to APNIC Blog, RIBs provide baseline state while updates capture dynamic changes. Analysis occurs at five-minute intervals, as reported by which PAM Conference Paper, is the standard granularity for capturing routing shifts without overwhelming systems. Operators deploy two primary modes: always-on and on-demand. Always-on configurations permanently place the scrubber as the upstream provider in the AS-PATH. On-demand activation dynamically inserts the scrubber only during detected attacks via origin-change or upstream-change methods. The upstream-change model dominates deployment because it avoids re-originating prefixes, preserving stability during convergence events.
| Feature | Always-On Mode | On-Demand Mode |
|---|---|---|
| Visibility | Permanent AS-PATH presence | Temporary AS-PATH insertion |
| Activation | Continuous | Triggered by attack detection |
| Convergence Risk | Low (static route) | Moderate (dynamic update) |
Adoption remains limited despite proven efficacy. While these top five providers are dominant, they collectively protect only 0.9% of the 1.4 million globally routable prefixes. The dominance of always-on scrubbing over on-demand models suggests a trend towards continuous, proactive defense postures rather than reactive measures in DDoS mitigation strategies. However, the cost of permanent diversion is increased latency for all inbound traffic, even during non-attack periods. Network architects must weigh this constant overhead against the risk of activation delay during sudden volumetric spikes.
11,000 always-on protected prefixes dominate current BGP routing tables. This deployment model forces continuous path validation across the entire internet edge. Operators must accept permanent AS-PATH elongation as the cost for eliminating activation latency during volumetric floods. The trade-off is reduced flexibility; removing a provider requires coordinated BGP policy updates rather than a simple toggle. In contrast, 5,600 on-demand prefixes rely on dynamic upstream manipulation. This approach preserves original path structures until an attack triggers a route change. However, convergence delays during activation create a brief exposure window that always-on architectures avoid entirely. Cloudflare represents a significant portion of this footprint with specific always-on deployments. 2,876 Cloudflare always-on prefixes anchor their protection strategy in permanence.
The decision ultimately rests on whether an organization prioritizes path stability or operational agility during non-attack periods. Network engineers must weigh the constant routing overhead against the risk of delayed mitigation response times.
Origin-Change vs Upstream-Change: Technical Differences in On-Demand Routing
Origin-change scrubbing forces re-originating prefixes, whereas upstream-change preserves the original AS number while altering the path. This distinction defines activation stability during volumetric floods. Data shows operators prefer upstream manipulation because re-originating prefixes risks global convergence delays. The mechanism relies on BGP updates to inject the scrubber as a transit provider rather than an origin. 1,000 prefixes apply this upstream method compared to only 104 using origin shifts. The disparity highlights a clear industry preference for path modification over origin hijacking. However, upstream dependency creates a single point of failure if the scrubber's ASN loses reachability. Operators must weigh path length against origin consistency when designing failover policies. This low penetration suggests most networks still lack automated on-demand defenses.
| Feature | Origin-Change | Upstream-Change |
|---|---|---|
| BGP Role | Re-originates prefix | Acts as transit |
| Convergence | Slower global update | Quicker local prepend |
| Adoption | Rare (104 prefixes) | Dominant (1,000 prefixes) |
| Risk Profile | Origin validation failures | Path loop potential |
The operational burden increases when distinguishing legitimate mitigation from malicious route leaks.
Mechanics of BGP-Based Traffic Diversion and Filtering
BGP RIB Snapshots and Five-Minute Update Intervals for Scrubbing Detection
Static baselines emerge from BGP RIB snapshots while five-minute update intervals capture transient scrubbing events per APNIC Blog data. This architecture separates permanent pathing from dynamic diversion states. Operators analyze routing tables to identify persistent upstreams, then cross-reference rapid update streams for anomalies. The mechanism relies on granular polling to detect short-lived attacks without generating excessive noise.
| Feature | RIB Snapshots | 5-Min Updates |
|---|---|---|
| Purpose | Baseline state | Event detection |
| Granularity | Daily/Midnight | Continuous stream |
| Use Case | Always-on verification | On-demand triggers |
Temporal resolution limits visibility; attacks shorter than the collection window vanish from logs before analysis begins. This gap forces operators to rely on external telemetry for sub-five-minute incidents. Consequently, detection latency becomes a function of polling frequency rather than network speed. Higher frequency polling demands storage overhead that scales linearly with peer count. Most networks accept the five-minute standard as a pragmatic balance between fidelity and resource consumption. Precise state reconstruction requires merging both datasets smoothly.
Identifying AS-per PATH Anomalies in Cloudflare and Vercara Routing Events, prefix 2.58.145.0/24 carrying AS-PATH [513 25091 25091 13335 24864] where 13335 signals upstream-change scrubbing. This pattern identifies Cloudflare as a transit provider rather than the origin, preserving the original AS number while altering the path. Operators must distinguish this from origin-change events where the scrubber re-originates the prefix entirely. Data shows prefix 46.184.90.0/24 classified as origin-change because Vercara originated it between 13:17 and 13:39 on 10 May 2025. Such transient shifts indicate on-demand protection triggered by active volumetric floods.
| Anomaly Type | Path Signature | Operational Signal |
|---|---|---|
| Upstream-Change | Scrubber ASN inserted mid-path | Continuous defense posture |
| Origin-Change | Scrubber ASN replaces origin | Reactive attack mitigation |
Detection logic parses these sequences to flag routing anomalies without relying on payload inspection. The mechanism requires precise timestamp correlation because short-lived attacks may vanish before the next RIB snapshot. A tension exists between detection speed and false-positive rates; rapid path changes often mimic legitimate traffic engineering. Increased operational complexity arises when managing multi-vendor scrubbing policies. Network teams must tune alerting thresholds to avoid noise from routine maintenance windows. Failure to differentiate these modes leads to incorrect capacity planning and misguided peering strategies.
Upstream-Change Versus Origin-Change Frequency Across Substantial Scrubbers
Upstream-change mitigation protects 1,000 prefixes while origin-change covers only 104 instances per APNIC Blog data. Origin-change scrubbing requires the protection provider to re-originate the victim's prefix, temporarily replacing the legitimate Autonomous System Number in global routing tables. This mechanism forces the entire internet to converge on a new path origin, creating significant stability risks during activation. Conversely, upstream-change preserves the original origin AS but inserts the scrubber as a transit hop in the AS-PATH. Operators prefer this method because it avoids the global convergence delays associated with re-originating prefixes. The data confirms a strong industry preference for path manipulation over origin hijacking due to these stability constraints. However, relying on upstream insertion creates a dependency on specific peer relationships that may not exist in all geographic regions.
The implication for network architects is that upstream solutions demand pre-established peering or transit agreements with the scrubbing provider. Without these specific connections, the route leaks required for diversion will fail propagation.
based on Defining Scrubber ASN Signatures in BGP Update Streams
Study Dataset Description, researchers identified scrubber ASNs by manually inspecting technical documentation and mailing list reports. This process establishes the signature baseline required to distinguish malicious floods from legitimate traffic shifts. Analysts cross-reference these known identifiers against update streams from the RIS route collector, which collects updates every five minutes. High-frequency deviations in AS-PATH sequences signal active mitigation rather than standard routing convergence.
| Signature Element | Detection Method | Operational Meaning |
|---|---|---|
| Known ASN | Manual verification | Confirms scrubber presence |
| Update Frequency | 5-minute intervals | Indicates dynamic activation |
| Path Length | Sequence analysis | Reveals upstream insertion |
Labor intensity limits the maintenance of this allowlist as providers rotate infrastructure. Operators relying solely on automated heuristics risk misclassifying legitimate peering changes as attack vectors. Missing a signature rotation results in total blindness during an active volumetric event. Precise identification remains the only viable defense against obscured attack paths.
Detecting Vercara and Cloudflare On-according to Demand Activation Events
Study Dataset Description, the analysis window spans 1 May 2025 to 30 May 2025, requiring operators to correlate RIS route collector updates with known scrubber signatures. As reported by Scrubbed Prefixes Statistics, Vercara activated 703 prefixes while Cloudflare covered 250, establishing a baseline for expected activation volume. Operators must isolate these specific ASNs within five-minute update streams to distinguish transient attacks from permanent pathing changes.
| Provider | Primary Mode | Detection Signal |
|---|---|---|
| Vercara | Upstream-change | ASN appears mid-path |
| Cloudflare | Upstream-change | ASN prepended to origin |
| Radware | Mixed | Origin or path shift |
per Scrubbed Prefixes Statistics, Cloudflare utilized upstream-change for 249 instances versus a single origin-change event, confirming a strong preference for path manipulation over re-origination. This pattern allows the protected network to retain ownership of the prefix while diverting inbound flow through the scrubber. Missing scrubber activation in BGP logs does not guarantee safety; traffic may be diverted via static GRE tunnels invisible to global routing tables. Failure to detect these shifts leaves networks vulnerable to collateral damage from misconfigured upstream filters.
RPKI Invalid Status Risks in Origin-based on Change Scrubbing Modes
Key Takeaways and Future Work, 48% of origin-change prefixes carry RPKI Invalid or NotFound status, creating immediate drop risks. RPKI-invalid routes face rejection by validating Autonomous Systems, effectively nullifying the mitigation effort during an active attack. The mechanism relies on the scrubber re-originating the prefix, yet nearly half lack the necessary Route Origin Authorizations to remain reachable. According to Key Takeaways and Future Work, 12.5% are explicitly Invalid while 35.5% remain NotFound, leaving most traffic vulnerable to silence rather than filtering. Operators assuming activation success face total blackholing if upstream peers enforce strict validation policies. Delegating origination without updating RIR records breaks global reachability. Failure to synchronize DNS, RPKI, and BGP states turns a defense mechanism into a self-inflicted outage.
Strategic Selection Criteria for Scrubber Providers
Always-On Versus On-as reported by Demand Scrubbing Deployment Models, always-on protection covers 11,000 prefixes while on-demand protects 5,600, defining the baseline for traffic diversion strategy. Always-on scrubbing maintains a permanent upstream position in the AS-PATH, eliminating activation latency but consuming continuous routing table space. On-demand models trigger dynamically during attacks, preserving normal pathing until a threat requires upstream-change intervention. The trade-off is measurable: always-on guarantees immediate filtering, whereas on-demand introduces a convergence window where malicious packets may reach the origin. Operators must weigh the stability of static routes against the resource efficiency of dynamic insertion.
Market projections indicate the network security software sector will expand from USD 22.19 billion in 2026 to USD 51.31 billion by 2035, reflecting aggressive capital allocation toward these architectures. A critical tension exists between immediate mitigation and global routing stability; always-on deployments lock traffic onto specific provider paths regardless of attack state, potentially increasing latency for legitimate users. Conversely, on-demand systems risk packet loss during the brief interval required for BGP updates to propagate globally.
Upstream-change mitigation secures 1,000 prefixes compared to only 104 using origin-change, establishing clear operator preference for path manipulation. Data shows this model allows the owner AS flexibility to originate their own prefix without delegating origination to the scrubber AS. Avoiding the need to create Route Origin Authorizations (ROAs) for scrubbers is a key reason for upstream-change preference approach preserves prefix ownership during active attacks while sidestepping RPKI validation failures that plague re-originated traffic.
| Dimension | Upstream-Change Model | Origin-Change Model |
|---|---|---|
| Origination Control | Retained by Owner | Delegated to Scrubber |
| RPKI Dependency | Low (Path Only) | High (Requires ROA) |
| Deployment Scale | Dominant Strategy | Rare Implementation |
The limitation is strict reliance on upstream provider cooperation for path injection. Operators cannot force acceptance if transit peers filter unexpected AS-PATH sequences containing scrubber identifiers. Maintaining clean routing policies becomes complex when multiple upstreams must simultaneously accept the diverted path. The consequence is a fragmented defense posture where protection efficacy depends entirely on neighbor configuration rather than local policy. Failure to verify these constraints results in silent mitigation failures where traffic never reaches the cleaning infrastructure. The operational penalty is severe: a protected prefix becomes unreachable globally instead of merely degraded during an incident. Operators relying on origin-change modes without pre-validating Route Origin Authorizations effectively trade DDoS exposure for total blackout risk.
| Risk Factor | Consequence | Validation Requirement |
|---|---|---|
| Invalid Status | Immediate route drop by peers | ROA creation mandatory |
| NotFound Status | Variable reachability | Registry publication needed |
| Valid Status | Normal propagation | Existing coverage sufficient |
Meanwhile, the limitation is binary; partial validation causes partial outages that defeat high-availability goals. InterLIR advises verifying RPKI Valid coverage before enabling re-originiation policies to prevent self-inflicted denial of service.
About
Alexander Timokhin CEO of InterLIR brings critical industry perspective to the complex topic of DDoS scrubbing and BGP routing analysis. As the leader of a specialized IPv4 marketplace founded in Berlin, Timokhin manages daily operations where network availability and IP reputation are paramount assets. His direct experience overseeing clean BGP announcements and route object validation provides unique insight into how Autonomous Systems interact with upstream providers during mitigation events. While the referenced research by Khadka et al. Technically characterizes scrubbing behaviors, Timokhin's work at InterLIR applies these principles practically by ensuring redistributed IP resources remain secure and reachable. Understanding whether scrubbers act as upstream providers or originate prefixes is not just academic for his team; it directly impacts the security and efficiency of IP leasing services. This intersection of high-level infrastructure management and technical routing dynamics qualifies him to contextualize these findings for network operators seeking resilient solutions.
Conclusion
The dominance of upstream path manipulation reveals a critical fragility: scalability creates dependency. While shifting AS-PATHs protects more prefixes today, this model collapses when transit providers refuse complex path injections or filter unexpected sequences. As attack surfaces expand, relying on neighbor cooperation for traffic diversion introduces a single point of failure that no amount of local policy can override. The industry must pivot from reactive path tweaks to architectural durability where protection does not hinge on peer goodwill. Organizations should mandate always-on scrubbing integration within the next twelve months, but only if they first decouple validation from origination logic to prevent self-inflicted blackouts during crises.
Do not wait for an incident to test these boundaries. Start by auditing your upstream acceptance policies this week to confirm which transit partners will actually honor diverted paths under stress. Verify that your RPKI ROAs explicitly authorize scrubbing centers before attempting any origin changes, ensuring you do not trade DDoS exposure for total unreachability. True defense requires assuming your neighbors will drop your traffic if configurations are not bulletproof.
Frequently Asked Questions
What percentage of global prefixes currently use DDoS scrubbing protection?
How many total prefixes are protected by always-on scrubbing methods?
Which on-demand routing method is more common among network operators?
Why do organizations prefer always-on scrubbing over reactive on-demand models?
What is the main trade-off for implementing permanent upstream scrubbing?
