A first look at the adoption of BGP-based DDoS scrubbing services

Background about DDoS scrubbing

Distributed Denial of Service (DDoS) scrubbing is a mechanism to mitigate DDoS attacks by diverting traffic toward scrubbers. The scrubber generally runs a globally distributed network of data centers so that it can mitigate a DDoS attack as closely as possible to the source, allowing only the legitimate traffic to reach the protected network. There are two types of DDoS scrubbing based on how traffic is diverted: DNS-based and BGP-based. DNS-based scrubbing is typically used to protect websites by redirecting traffic through changes to DNS records (e.g., CNAME or A records). BGP-based scrubbing, on the other hand, protects entire networks that host multiple services—such as databases, email, or IP telephony—and requires the customer to operate their own Autonomous System (AS), referred to as the protected AS. In our work, we studied the deployment of BGP-based scrubbing services on the global Internet, which, to the best of our knowledge, is largely unexplored.

In BGP-based scrubbing, the protected AS connects to its scrubber using methods such as GRE tunnels, direct connections, or peering arrangements (for example, through an Internet exchange or data centre). The AS then advertises its routes to the scrubber using either BGP or static routing, with BGP generally preferred for its flexibility and simplified network management. Depending on the protection mode, the AS can either continuously announce its prefixes through the scrubber (“always-on” protection) or advertise them only during an attack (“on-demand” protection).

Why is knowing the adoption of BGP-based DDoS scrubbing important?

We believe insight into the adoption of BGP-based scrubbers is of interest to several audiences. For example, it would enable operators of Autonomous Systems (ASes) to select transit providers or peers that are using DDoS protection, which would increase the DDoS resilience of BGP paths. Another example is the MANRS+ working group, which aims to enhance routing security through stricter compliance and audits. They can use insights into the adoption of DDoS scrubbers for their “DDoS Attack Prevention” metric, which tracks ASes using BGP-based DDoS protection. Also, national policymakers or network operator groups can use it to consider the adoption of DDoS protection services in their country or community, respectively.

Understanding the working of BGP-based DDoS scrubbing

We focused on the global top five BGP-based scrubbers in the 2021 analysis of Forrester Wave Market Analysis: Akamai Prolexic, Cloudflare, Vercara (formerly Neustar), Imperva, and Radware. We did that because to the best of our knowledge there is no collated, comprehensive, and authoritative list of DDoS scrubbers.

To understand how these scrubbers work, we explored their documentation as well as that of three other scrubbers. We also analyzed reports on historical scrubbing activities, including blogs (Kentik, ThousandEyes) and mailing lists. We validated our understanding of scrubbing mechanisms with operators from four scrubbers: NaWas, DDoS-Guard, Akamai, and Radware. We found that BGP-based scrubbing falls into two categories. One is that the scrubber appears as the upstream of a protected AS in BGP data, which leads to four different patterns in BGP data, as we explain in the following section. In the other way, a protected AS delegates the origination of its prefixes to the scrubber, which means that the scrubber appears as the origin AS in BGP data.

In our paper and in this blog, we focus on the model with the scrubber appearing as an upstream of a protected AS. We leave the second model (re-origination of a protected prefix) as future work.

Identifying protected prefixes and ASes using four BGP AS path patterns

We analyzed Routing Information Bases (RIBs) data collected by RIS and Routeviews collectors, on the first day of each month from 2020 to 2024. This monthly sampling approach helps our objective to provide an initial overview of the adoption of BGP-based DDoS scrubbing services by minimizing the volume of RIBs data to be processed

We identified four patterns in which a scrubber AS Number (ASN) appears as an upstream of a protected AS in the RIBs data, as shown in Table 1. The right column shows an example for each pattern for Radware’s scrubber, whose ASN is 198949. For example, an AS path following pattern 3 has the protected AS as the origin (AS28006), the scrubber AS as an upstream provider (AS198949, third position), and a sibling AS (AS26613) between them. The ASNs 28006 and 26613 belong to the same organization.

Table 1: Four patterns with a scrubber ASN appearing as an upstream for scrubbing purposes.

We did not consider pattern 4 because we were unable to conclude that the origin AS (AS15814 in the example in Table 1) is using a scrubber. Also, this pattern is very rare in our analysis (see Figure 1).

Figure 1: Distribution of the four AS patterns across protected ASes in 2024’s monthly RIBs snapshots. The numbers above the bars show the average number of protected ASes per scrubber across the 12 snapshots.

Growth of adoption rate of BGP-based DDoS scrubbers

Our longitudinal analysis in Figure 2 shows that the percentage of ASes using BGP-based protection has increased almost three times (from 0.7% to 2% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3% to 0.9% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6.

Figure 2: Adoption rate of BGP-based DDoS scrubbers globally, showing the percentage of protected ASes and prefixes.

Service type analysis of BGP-based DDoS scrubbing

We classify ASes globally based on the services they offer, such as financial ASes, cloud ASes, and education ASes using Stanford ASdb dataset. We use 2021 data as it is the earliest available. We find that most of the protected ASes (1,295 out of a total of 1,730 protected ASes) belong to the following 9 categories: Finance, Health, Retail, Manufacturing, Cloud, Government, IT, ISP, and Education. Figure 3 shows that 7.04% of financial ASes (494 out of 7,021, as classified by ASdb) used a scrubber on December 1, 2024. Financial institutions have consistently led the use of BGP-based scrubbing adoption since 2021.

Figure 3: Percentage of nine types of ASes that are more often protected by the five scrubbers over the years. The numbers in the legend represent the total number of ASes of that type on the Internet as classified by ASdb on 01 Jan 2024.

Summary and future work

We presented a first study into the adoption and characterization of BGP-based DDoS scrubbers globally in the period 2020-2024, based on a novel method that we developed to find protected ASes and prefixes. Our study uses the top five scrubbers worldwide. We show that 2% of ASes out of around 84k ASes and 0.9% of prefixes out of 1.4M prefixes that are globally routable use one of our chosen BGP-based DDoS scrubbing services as of 1 Dec 2024.

Our future work includes identifying protected ASes and prefixes where the scrubber appears as the origin ASN, providing DDoS protection for a network whose ASN is not visible in the AS paths.

Acknowledgements

This research received funding from the Dutch Research Council (NWO) as part of the projects CATRIN (NWA.1215.18.003) and UPIN (CS.004). CATRIN is part of NWO’s National Research Agenda (NWA).