DDoS scrubbing data shows 98% of networks exposed
Only 2% of ASes apply BGP-based DDoS scrubbing, leaving the vast majority of networks dangerously exposed according to recent APNIC data. (APNIC's detecting and characterizing ddos scrubbing from ...) Shyam Krishna Khadka's research at the University of Twente exposes how five substantial providers manipulate BGP announcements to filter traffic, revealing a stark disconnect between marketed capabilities and observable routing behavior.
We need to talk about upstream-change scrubbing. Providers insert themselves into the AS-PATH without hijacking prefix ownership, a technique standard monitoring tools routinely miss. We will analyze specific activation signals within BGP data flows that distinguish between always-on protection and flexible mitigation during active attacks. The discussion extends to operational failures where origin-change methods inadvertently destabilize route propagation across neighboring autonomous systems.
Despite Cloudflare, Akamai Prolexic, and Vercara dominating the market, their scrubbing architectures remain poorly understood outside of controlled lab environments. By using longitudinal data from 2020 to 2024, this analysis moves beyond theoretical models to provide concrete evidence of how malicious traffic diversion actually alters the global routing table. Network engineers must abandon assumptions about smooth failover and adopt rigorous validation practices for these upstream dependencies.
The Role of BGP Routing in Modern DDoS Scrubbing Architectures
BGP-Based DDoS Scrubbing and AS Path Redirection Mechanics
DDoS scrubbing diverts attack traffic through specialized filters using BGP redirection before delivery to the victim. Operators select between Always-on persistence or on-demand activation when an attack begins. The upstream-change model keeps the protected ASes as the origin while inserting the scrubber into the AS-PATHS. Data indicates this method covers 1,000 prefixes, making it nearly ten times more common than alternatives. In contrast, the Origin-change model forces the scrubber to announce the prefix as the new origin, altering the route source entirely. This approach protects only 104 prefixes Both models ensure outbound traffic exits normally through the local ISP rather than the scrubbing center.
| Model | Origin AS Status | Scrubber Position | Prevalence |
|---|---|---|---|
| Upstream-change | Protected AS | Intermediate Hop | High |
| Origin-change | Scrubber AS | Route Source | Low |
Longer paths introduced during mitigation trigger policy-based de-preferencing on transit networks that prioritize shorter routes. This is the hidden tax of upstream insertion: you preserve origin signatures, but you complicate AS-PATH length analysis for downstream peers.
Always-on scrubbing permanently installs the mitigator as the upstream for specific prefixes, eliminating activation latency during volumetric assaults. Cloudflare maintains this state for 2,876 prefixes, while Akamai secures 5,861 prefixes in a similar continuous configuration. These figures illustrate a strategic preference for constant path manipulation over reactive signaling among market leaders. The industry-wide shift On-demand activation remains the for assets requiring flexible upstream insertion only during verified incidents. This approach conserves routing table stability but introduces a detection window where malicious packets reach the origin. Operators managing critical infrastructure often select always-on modes to guarantee zero-day response capabilities without relying on external trigger mechanisms.
| Feature | Always-On Mode | On-Demand Mode |
|---|---|---|
| AS-PATH State | Static inclusion | Flexible insertion |
| Activation | Permanent | Event-triggered |
| Latency | Zero seconds | Detection dependent |
| Churn | None | High during events |
Always-on deployment permanently alters routing policies, complicating traffic engineering adjustments outside of attack windows. Network engineers must accept fixed upstream paths as the cost for guaranteed mitigation availability. This architectural decision removes the variable of response time from the incident management equation entirely. Upstream-change scrubbing dominates on-demand mitigation by preserving the origin AS while inserting the cleaner into the path. This approach protects 1,000 prefixes Operators favor this method because it avoids the RPKI validation failures inherent in shifting origin authority. Data reveals that only 52% of prefixes using origin-change techniques maintain valid RPKI status. The remaining coverage lacks cryptographic assurance, exposing these routes to rejection by strict ROV policies. In contrast, upstream-change models retain the original signed origin, bypassing this specific validity gap entirely.
| Feature | Upstream-Change | Origin-Change |
|---|---|---|
| Origin AS | Protected Entity | Scrubber Entity |
| RPKI Validity | Preserved | Often Broken |
| Adoption Scale | Dominant | Rare |
| Path Stability | Moderate | High Churn |
Always-on architectures provide constant coverage, whereas on-demand systems activate only during active volumetric assaults. Network engineers must weigh the risk of route rejection against the complexity of maintaining dual announcement policies. The prevalence of upstream models suggests a collective industry pivot toward preserving origin integrity during crises. Failure to align scrubbing mechanics with RPKI requirements invites accidental blackholing of legitimate traffic.
Defining Always-On Scrubbing via 30-Day Upstream Continuity
Classifying a prefix as always-on requires observing a scrubber ASN in the AS-PATH for a continuous 30-day window without interruption. This temporal threshold filters transient routing fluctuations from permanent protection architectures, distinguishing steady-state mitigation from reactive triggers. Operators identify the protective layer by spotting specific scrubber identifiers, such as 13335 for Cloudflare, positioned immediately before the protected origin AS. The prefix 2.58.145.0/24 exemplifies this pattern, maintaining a static path structure where the cleaner acts as a permanent transit provider rather than a temporary origin. This structural permanence contrasts sharply with on-demand activation Analysis of global RIB snapshots reveals that roughly 10:1 more prefixes apply continuous protection compared to reactive services, signaling an industry preference for latency-free defense. The upstream-change.
| Attribute | Always-On State | On-Demand State |
|---|---|---|
| Duration | Continuous (>30 days) | Transient (<30 days) |
| AS-PATH Role | Permanent Upstream | Temporary Upstream or Origin |
| RPKI Impact | Minimal (Origin unchanged) | High risk (if Origin changes) |
| Detection Signal | Static path stability | Sudden path deviation |
Relying solely on single-day snapshots creates blind spots, as brief maintenance windows might mimic attack mitigation cycles.
On-demand scrubbing detection requires correlating BGP update timestamps with transient path shifts, as seen when Vercara originated 46.184.90.0/24 for 22 minutes on 10 May 2025. Operators must execute a four-step analysis to isolate these signals from background noise. First, ingest real-time BGP updates alongside daily RIB snapshots to capture flexible state changes invisible to static tables. Second, flag prefixes where the AS-PATH deviates from the baseline upstream, such as AS45753 temporarily routing via Vercara instead of AS9744. Third, classify the event duration to distinguish same-day cycles from cross-day activations spanning midnight boundaries. Fourth, verify the return to baseline to confirm deactivation.
Combining RIB snapshots Network teams cannot determine if a prefix underwent one long attack or five short bursts without deeper packet-level telemetry. This constraint forces reliance on qualitative trends rather than precise incident counts for same-day scenarios.
Quantifying Upstream-Change Dominance Over Origin-Change Models
Upstream-change activations outnumber origin-change events by a factor of ten, marking a decisive industry shift toward path manipulation over origin hijacking. This disparity stems from operator preference for preserving the original origin AS to maintain RPKI validity during mitigation cycles. Apnic.
| Provider | Origin-Change Count | Upstream-Change Count | Total Activations |
|---|---|---|---|
| Vercara | 82 | 621 | 703 |
| Cloudflare | 1 | 249 | 250 |
| Akamai | 4 | 66 | 70 |
| Imperva | 0 | 96 | 96 |
| Radware | 17 | 38 | 55 |
Vercara leads total volume with 703 activations, while Radware records the lowest engagement at 55 prefixes. Cloudflare demonstrates extreme bias toward upstream redirection, executing only a single origin-change event against 249 path modifications. The cost of origin-change deployment is measurable: nearly half of such prefixes fail cryptographic validation checks due to mismatched ROA records. Operators avoiding this failure mode select upstream redirection to keep the AS-PATH flexible while the origin signature remains static. This technical constraint forces vendors to prioritize upstream integration features over origin spoofing capabilities in their product roadmaps. Detection logic must focus on transient upstream neighbors appearing before the protected.
Operational Best Practices for Deploying Upstream-Change Scrubbing Models
Defining Upstream-Change Scrubbing via BGP Path Redirection
Upstream-change scrubbing redirects attack traffic by inserting a cleaner into the AS path while the protected Autonomous System retains its origin AS identity. This mechanism modifies the route announcement upstream, forcing inbound flows through a mitigation node without altering the cryptographically signed origin data. Research identifies 1,000 prefixes using this upstream-change model In contrast, the origin-change model Dependency on upstream provider cooperation for route propagation increases with this architectural choice. Operators must configure local preference policies to ensure the scrubber path is selected over direct peering during attack windows. Traffic bypasses the filter entirely if engineers fail to tune these attributes. Manual intervention during high-volume incidents decreases while route security posture remains intact.
Configuring On-Demand Activation Windows for Vercara and Radware
Vercara activated 703 prefixes during the observation window, demanding precise BGP update monitoring to capture transient upstream changes. Operators must ingest real-time BGP updates alongside daily RIB snapshots to detect activation windows that static tables miss. This dual-stream approach isolates same-day cycles from cross-day events where mitigation spans midnight boundaries. Radware recorded the lowest activation count at 55 prefixes, suggesting tighter trigger thresholds or smaller customer bases. Configuration policies must account for this variance to avoid false negatives during low-volume attacks. Missing scrubbing detection often stems from filtering logic that ignores short-duration path modifications. Legitimate mitigation signals vanish if the observation window exceeds the typical 22minute activation cycle. This strategy preserves the signed origin data while redirecting traffic through the cleaner. Incomplete visibility and delayed response times result from failing to distinguish these modes.
Validating RPKI Status to Prevent Routing Leaks During Mitigation
Operators must verify RPKI Valid status before activating scrubbing to prevent route rejection by downstream peers. Apnic. 12.5% of alternative approaches generate RPKI Invalid states that trigger automatic drops. Validation failures often stem from mismatched AS path assertions when scrubbers inject announcements without corresponding RIR updates. Adoption metrics will soon feed the MANRS+ Working Group to enforce stricter compliance on DDoS prevention. Always-on scrubbing suits high-volume targets needing constant AS path stability, whereas on-demand fits sporadic attack surfaces. The cost of skipping validation is measurable: 35.5% of noncompliant routes face uncertain propagation across the global table. Total prefix blackholing during active attacks becomes avoidable through this check.
Strategic Lessons from Global Adoption Trends in Scrubber Routing
Lessons: Upstream-Change Scrubbing Set by AS Path Redirection
AS path redirection defines the upstream-change model where the protected AS retains its origin identity while inserting a scrubber as the immediate transit provider. This mechanism modifies the AS path attribute in BGP announcements without altering the cryptographically signed origin data, preserving route validity during mitigation cycles. Analysis of global routing tables identifies roughly 1,000 prefixes using this upstream-change model Unlike origin-change approaches that transfer origination authority and risk validation failures, this method forces inbound flows through a mitigation node while keeping the source AS number static. The dominant adoption rate suggests network engineers prioritize maintaining RPKI Valid status to prevent downstream rejection by strict peers. However, reliance on AS path injection introduces a specific dependency on upstream neighbor acceptance of these modified announcements. Operators must ensure their direct peers do not filter these paths as anomalies before an attack occurs. Failure to coordinate these policies results in silent traffic blackholing even when the scrubber is active. This tension between rapid redirection and policy compliance requires pre-deployment testing rather than reactive configuration during an incident.
Strategic Shift to Always-On Protection Across 703 Prefixes
The 703 prefixes under continuous defense demonstrate that always-on scrubbing now outpaces reactive activation by 48%. Historical reliance on manual intervention fails against modern volumetric floods, forcing operators to adopt permanent upstream redirection. Data confirms always-on deployments. This architectural shift eliminates the detection lag inherent in on-demand systems, ensuring malicious traffic hits filtering logic before saturating peering links.
Maintaining permanent mitigation capacity increases baseline transit costs, creating tension between security posture and budget constraints. Smaller networks often hesitate to commit resources without an active threat, yet the industry-wide shift. The dominance of this model implies that manual response cycles are no longer viable for protecting critical IP address space. Operators ignoring this trend risk exposure during the window between attack onset and scrubber engagement.
Compliance audits must distinguish between always-on permanence and on-demand activation to accurately score DDoS Attack Prevention Always-on scrubbing maintains a static AS path position, whereas on-demand mitigation dynamically inserts a scrubber upstream only during active floods. Operators should verify that upstream-change events preserve origin signatures rather than triggering RPKI Invalid states. The MANRS+ Working.
- Confirm BGP updates capture sub-hourly activation windows for on-demand services.
- Validate that origin-change modes do not conflict with existing ROA records.
- Document the ratio of permanent versus reactive prefix coverage.
Only 55 of global ASes currently employ these services, leaving most networks invisible to compliance scanners. InterLIR recommends treating missing scrubbing evidence as a routing hygiene failure. The 22minute longitudinal analysis Ignoring this gap invites regulatory penalties as policymakers mandate stricter auditing. Note that while upstream-change preserves origin signatures, yet 12.5% of alternative approaches generate RPKI issues. The cost of skipping validation is measurable: 35.5% of noncompliant routes face uncertain paths.
About
Evgeny Sevastyanov serves as the Support Team Leader at InterLIR, a specialized IPv4 marketplace based in Berlin. With extensive hands-on experience managing customer support and executing technical provisioning for IPv4 leasing, he possesses unique qualifications to discuss BGP routing tables. His daily responsibilities include creating and maintaining Route Objects within RIPE and APNIC databases, a process directly dependent on accurate BGP propagation and routing integrity. (RIPE's internet measurements) At InterLIR, ensuring clean BGP announcements is a core value, making the detection of routing anomalies like DDoS scrubbing critical to their mission of providing secure IP resources. Sevastyanov's practical work bridging technical database management with client network availability offers a grounded perspective on how global routing changes impact real-world IP asset distribution and security.
Conclusion
Scaling BGP routing table protection reveals a critical fracture: transient mitigation windows create blind spots that static compliance checks miss entirely. When on-demand scrubbing activates, the resulting path volatility often triggers false RPKI Invalid alerts, causing legitimate traffic to be dropped before the attack is neutralized. This operational friction explains why continuous upstream configurations remain rare despite their superior reliability. The hidden cost infrastructure spend, but the engineering hours spent reconciling flexible AS path changes with rigid security policies. Networks relying on reactive insertion face a compounding debt of manual intervention that grows linearly with attack frequency.
Organizations managing critical prefixes must migrate to permanent upstream scrubbing configurations within the next six months to eliminate activation latency. This shift is mandatory for any entity where sub-minute downtime violates service level agreements. Do not wait for regulatory mandates to force this architectural update. Start by auditing your ROA records against current BGP update logs this week to identify any origin mismatches triggered by recent mitigation events. Verify that your scrubbing provider preserves origin signatures during failover rather than rewriting them. This specific validation step prevents the routing leaks that currently plague hybrid deployment models.
Frequently Asked Questions
Origin-change methods protect very few prefixes compared to upstream alternatives. Data reveals that only 52% of prefixes using origin-change techniques maintain stable routing without causing unintended destabilization across neighboring systems.
Only a tiny fraction of autonomous systems currently deploy these security measures. Recent APNIC data indicates that just 2% of ASes utilize BGP-based DDoS scrubbing, leaving most networks dangerously exposed to attacks.
Always-on scrubbing permanently installs the mitigator as the upstream provider for specific network prefixes. This approach eliminates activation latency entirely, ensuring zero-second response times during volumetric assaults compared to event-triggered models.
Cloudflare and Akamai lead the industry by securing thousands of prefixes in continuous configurations. These figures illustrate a strategic preference for constant path manipulation over reactive signaling among current market leaders.
Extended paths introduced during mitigation can trigger policy-based de-preferencing on transit networks. Downstream peers often prioritize shorter routes, potentially causing traffic to bypass the scrubbing center entirely during active attack windows.
