A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis

Shyam Krishna Khadka; Suzan Bayhan; Ralph Holz; Saeedeh Shokoohi; Marinho Barcellos; Cristian E.W. Hesselman

doi:10.23919/CNSM67658.2025.11297552

A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis

Shyam Krishna Khadka
, Suzan Bayhan
, Ralph Holz
, Saeedeh Shokoohi
, Marinho Barcellos
, Cristian E.W. Hesselman

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

269 Downloads (Pure)

Abstract

Besides being the de facto routing protocol of the Internet, the Border Gateway Protocol (BGP) has also been used for mitigating Distributed Denial of Service (DDoS) attacks for many years. In such situations, victims of DDoS attacks use BGP to redirect attack traffic to a “scrubber” outside their network, which separates clean traffic from DDoS traffic and forwards the former to the victim’s network. While there exist many BGP-based DDoS scrubbing providers, their adoption on the global Internet remains unstudied. This paper aims to fill this gap by identifying and characterizing Autonomous Systems (ASes) and prefixes protected by five of the leading scrubbing providers, using AS path patterns in public BGP routing data. Our study focuses on scrubbers that allow their protected ASes to originate their prefixes themselves. We find that the percentage of ASes using this kind of protection has increased almost three times
(from 0.7% to 2% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3% to 0.9% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6. Globally, we observe a higher adoption rate among financial
institutions, while adoption remains low among educational institutions. We believe our insights will be useful for individual AS operators to find the transit providers or peers that are DDoS-protected. It might also be useful for (national) policy-makers to incentivize the adoption of DDoS protection services and for
researchers studying the phenomenon of DDoS scrubbing.

Original language	English
Title of host publication	2025 21st International Conference on Network and Service Management (CNSM)
Number of pages	7
ISBN (Electronic)	978-3-903176-75-1
DOIs	https://doi.org/10.23919/CNSM67658.2025.11297552
Publication status	Published - 22 Dec 2025
Event	21th International Conference on Network and Service Management, CNSM 2025 - Bologna, Italy Duration: 27 Oct 2025 → 31 Oct 2025 Conference number: 21 https://www.cnsm-conf.org/2025/

Conference

Conference	21th International Conference on Network and Service Management, CNSM 2025
Abbreviated title	CNSM 2025
Country/Territory	Italy
City	Bologna
Period	27/10/25 → 31/10/25
Internet address	https://www.cnsm-conf.org/2025/

Access to Document

10.23919/CNSM67658.2025.11297552Licence: Unspecified

BGP_based_scrubbing_servicesAccepted author version, 313 KBLicence: CC BY-NC-SA

Cite this

@inproceedings{44edbf4b0bbd4ccb93f72bb706011fe5,

title = "A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis",

abstract = "Besides being the de facto routing protocol of the Internet, the Border Gateway Protocol (BGP) has also been used for mitigating Distributed Denial of Service (DDoS) attacks for many years. In such situations, victims of DDoS attacks use BGP to redirect attack traffic to a “scrubber” outside their network, which separates clean traffic from DDoS traffic and forwards the former to the victim{\textquoteright}s network. While there exist many BGP-based DDoS scrubbing providers, their adoption on the global Internet remains unstudied. This paper aims to fill this gap by identifying and characterizing Autonomous Systems (ASes) and prefixes protected by five of the leading scrubbing providers, using AS path patterns in public BGP routing data. Our study focuses on scrubbers that allow their protected ASes to originate their prefixes themselves. We find that the percentage of ASes using this kind of protection has increased almost three times (from 0.7\% to 2\% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3\% to 0.9\% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6. Globally, we observe a higher adoption rate among financial institutions, while adoption remains low among educational institutions. We believe our insights will be useful for individual AS operators to find the transit providers or peers that are DDoS-protected. It might also be useful for (national) policy-makers to incentivize the adoption of DDoS protection services and for researchers studying the phenomenon of DDoS scrubbing.",

author = "Khadka, \{Shyam Krishna\} and Suzan Bayhan and Ralph Holz and Saeedeh Shokoohi and Marinho Barcellos and Hesselman, \{Cristian E.W.\}",

year = "2025",

month = dec,

day = "22",

doi = "10.23919/CNSM67658.2025.11297552",

language = "English",

booktitle = "2025 21st International Conference on Network and Service Management (CNSM)",

note = "21th International Conference on Network and Service Management, CNSM 2025, CNSM 2025 ; Conference date: 27-10-2025 Through 31-10-2025",

url = "https://www.cnsm-conf.org/2025/",

}

Khadka, SK , Bayhan, S , Holz, R, Shokoohi, S, Barcellos, M & Hesselman, CEW 2025, A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis. in 2025 21st International Conference on Network and Service Management (CNSM). 21th International Conference on Network and Service Management, CNSM 2025, Bologna, Italy, 27/10/25. https://doi.org/10.23919/CNSM67658.2025.11297552

TY - GEN

T1 - A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis

AU - Khadka, Shyam Krishna

AU - Bayhan, Suzan

AU - Holz, Ralph

AU - Shokoohi, Saeedeh

AU - Barcellos, Marinho

AU - Hesselman, Cristian E.W.

N1 - Conference code: 21

PY - 2025/12/22

Y1 - 2025/12/22

N2 - Besides being the de facto routing protocol of the Internet, the Border Gateway Protocol (BGP) has also been used for mitigating Distributed Denial of Service (DDoS) attacks for many years. In such situations, victims of DDoS attacks use BGP to redirect attack traffic to a “scrubber” outside their network, which separates clean traffic from DDoS traffic and forwards the former to the victim’s network. While there exist many BGP-based DDoS scrubbing providers, their adoption on the global Internet remains unstudied. This paper aims to fill this gap by identifying and characterizing Autonomous Systems (ASes) and prefixes protected by five of the leading scrubbing providers, using AS path patterns in public BGP routing data. Our study focuses on scrubbers that allow their protected ASes to originate their prefixes themselves. We find that the percentage of ASes using this kind of protection has increased almost three times (from 0.7% to 2% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3% to 0.9% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6. Globally, we observe a higher adoption rate among financial institutions, while adoption remains low among educational institutions. We believe our insights will be useful for individual AS operators to find the transit providers or peers that are DDoS-protected. It might also be useful for (national) policy-makers to incentivize the adoption of DDoS protection services and for researchers studying the phenomenon of DDoS scrubbing.

AB - Besides being the de facto routing protocol of the Internet, the Border Gateway Protocol (BGP) has also been used for mitigating Distributed Denial of Service (DDoS) attacks for many years. In such situations, victims of DDoS attacks use BGP to redirect attack traffic to a “scrubber” outside their network, which separates clean traffic from DDoS traffic and forwards the former to the victim’s network. While there exist many BGP-based DDoS scrubbing providers, their adoption on the global Internet remains unstudied. This paper aims to fill this gap by identifying and characterizing Autonomous Systems (ASes) and prefixes protected by five of the leading scrubbing providers, using AS path patterns in public BGP routing data. Our study focuses on scrubbers that allow their protected ASes to originate their prefixes themselves. We find that the percentage of ASes using this kind of protection has increased almost three times (from 0.7% to 2% and from 464 ASes to 1,730 ASes) between 2020 and 2024. Similarly, the percentage of protected prefixes has also increased three times in the same period, from 0.3% to 0.9% and from 3,154 to 12,362 prefixes, across both IPv4 and IPv6. Globally, we observe a higher adoption rate among financial institutions, while adoption remains low among educational institutions. We believe our insights will be useful for individual AS operators to find the transit providers or peers that are DDoS-protected. It might also be useful for (national) policy-makers to incentivize the adoption of DDoS protection services and for researchers studying the phenomenon of DDoS scrubbing.

U2 - 10.23919/CNSM67658.2025.11297552

DO - 10.23919/CNSM67658.2025.11297552

M3 - Conference contribution

BT - 2025 21st International Conference on Network and Service Management (CNSM)

T2 - 21th International Conference on Network and Service Management, CNSM 2025

Y2 - 27 October 2025 through 31 October 2025

ER -

A First Look at the Adoption of BGP-based DDoS Scrubbing Services: A 5-year Longitudinal Analysis

Abstract

Conference

Access to Document

Fingerprint

Cite this