Understanding the Global Adoption of BGP-Based DDoS Scrubbing Services

The Growing Importance of BGP-Based DDoS Scrubbing in a Connected World

In an era of increasing cybersecurity risks, Distributed Denial of Service (DDoS) attacks continue to be one of the most disruptive threats to online infrastructure. Autonomous Systems (AS) can actively protect themselves from these threats by employing BGP-based DDoS scrubbing services to reroute and mitigate malicious traffic. These systems utilize the Border Gateway Protocol (BGP) to identify and scrub illegitimate traffic, ensuring only genuine traffic reaches essential services like databases, email systems, or IP telephony. Despite its critical importance, the extent of global adoption of BGP-based scrubbing is still largely unexplored. This gap hinders the ability to fully evaluate its efficiency in protecting networks worldwide. Recent research has shed new light on this issue, offering valuable insights that could redefine the strategies for mitigating large-scale DDoS attacks.

Differentiating DNS-Based and BGP-Based Scrubbing

Two primary methods exist for implementing DDoS scrubbing: DNS-based and BGP-based. DNS-based scrubbing is typically employed for safeguarding websites by using DNS records to redirect traffic to scrubbing centers. On the other hand, BGP-based scrubbing is far more robust, designed for comprehensive protection of whole networks. By engaging BGP, protected ASes can dynamically advertise their routes to dedicated scrubbers through GRE tunnels, direct connections, or peering arrangements. This flexible mechanism allows traffic to be scrubbed near its source, significantly reducing the impact of DDoS attacks on downstream services.

BGP-based scrubbing is implemented in two modes: ‘always-on,’ where prefixes are continuously routed through scrubbers, or ‘on-demand,’ where rerouting only occurs during an active attack. This adaptability makes BGP-based systems ideal for protecting large-scale, multi-service networks. However, uncovering the adoption of such systems internationally has revealed essential lessons for network operators and policymakers alike.

Analyzing Global Adoption from 2020 to 2024

A longitudinal study from 2020 to 2024 highlighted key trends in BGP-based DDoS scrubber adoption. Using data from the top five global scrubbing providers (Akamai Prolexic, Cloudflare, Vercara, Imperva, and Radware), researchers analyzed Routing Information Bases (RIBs) collected monthly. Their study revealed a significant rise in adoption, with the percentage of ASes utilizing BGP-based protection increasing nearly threefold—from 0.7% in 2020 to 2% in 2024. Similarly, the number of protected network prefixes rose from 3,154 to an impressive 12,362 during this period.

Most protected ASes belonged to sectors like finance, retail, healthcare, and government, with the financial sector consistently leading the adoption of DDoS scrubbing services. For example, as of December 2024, approximately 7.04% of financial ASes employed these services. This upward trend underscores the growing recognition across various industries of the need to fortify their networks against DDoS threats.

Implications for Network Security and Future Research

These findings hold significant implications for network infrastructure, policymaking, and cybersecurity strategy. Insights into the adoption patterns of BGP-based scrubbing services can help Autonomous System operators make informed decisions when selecting transit providers or peers that prioritize DDoS resilience. Additionally, working groups such as MANRS+ can leverage this research to enhance routing security metrics, promote stricter compliance, and improve DDoS prevention standards globally.

Nevertheless, future work is still needed to fully explore the potential of BGP-based scrubbing. The study primarily focused on one mode of operation where the scrubber acts as an upstream provider. Expanding this research to include models where scrubbers originate prefixes could reveal new insights into global protection practices. As cybersecurity threats continue to evolve, so too must the methodologies to defend critical online infrastructure effectively.