As DDoS attacks grow in scale and complexity, modern mitigation strategies are evolving to meet the challenge. Organisations today have more powerful tools than ever—but success hinges on speed, automation, and adaptability.
At FastNetMon, we believe that efficiency of DDoS defence lies in real-time detection and intelligent traffic diversion—especially when integrating with scrubbing centres.
In this post, we’ll break down what scrubbing centres actually do, how they work, and why FastNetMon makes the whole process more efficient by automating diversion only when you need it.
What Is a Scrubbing Centre?
A scrubbing centre is a network facility or cloud-based service designed to defend against large-scale Distributed Denial of Service (DDoS) attacks. When under attack, traffic is redirected to the scrubbing provider’s infrastructure, where malicious packets are filtered out and clean traffic is sent back to its original destination.
Scrubbing centres are equipped with high-bandwidth capacity (hundreds of Gbps to multi-Tbps) and advanced filtering capabilities. Their role is to absorb and neutralise attack traffic before it reaches your own network infrastructure.
Some organisations use always-on scrubbing, where all inbound traffic is permanently routed through the provider. But this comes at the cost of higher latency, increased operational complexity, and ongoing expense.
FastNetMon enables a smarter approach: traffic is only diverted to a scrubbing centre during an actual attack. The rest of the time, it flows directly to your infrastructure, with no added latency.
How DDoS Scrubbing Works
Scrubbing Centres in “Always-On” Mode
In a traditional always-on scrubbing setup, all inbound traffic—legitimate and malicious—is routed through the scrubbing provider at all times, regardless of whether an attack is in progress.
Traffic enters the provider’s global infrastructure, where it undergoes multiple layers of inspection:
- Volumetric filtering: Traffic is compared against known DDoS signatures and volume thresholds (packets per second, bits per second).
- Behavioural analysis: Machine learning or anomaly detection is used to identify suspicious traffic patterns.
- Application-layer filtering: Protocol-specific attacks (e.g. HTTP floods) are mitigated using challenge-response mechanisms.
- Encrypted traffic handling: HTTPS traffic may be decrypted and inspected before re-encryption.
- Geo-blocking and IP reputation filtering: Requests from high-risk regions or known bad actors are dropped.
Once the filtering is complete, clean traffic is forwarded to your infrastructure via GRE or IPsec tunnels. This method is reliable and offers strong protection—but it introduces some notable trade-offs:
- Additional latency, since traffic is always detoured through the scrubbing centre
- Higher cost, due to continuous usage and clean traffic metering
- Potential for false positives, if aggressive filters block legitimate users
FastNetMon: Automating On-Demand Scrubbing Diversion
FastNetMon enables a more intelligent and efficient approach. Instead of routing all traffic through the scrubbing provider all the time, FastNetMon monitors your network in real time and diverts only the affected traffic during an active DDoS attack.
Here’s how it works:
- Real-Time Detection
FastNetMon ingests flow data (NetFlow, sFlow, IPFIX) and continuously monitors per-IP and per-prefix traffic volumes, identifying abnormal patterns within seconds. - Automatic Diversion Triggers
When a DDoS attack is detected—based on thresholds or behavioural analysis—FastNetMon automatically:- Injects BGP route announcements or FlowSpec rules to steer traffic
- Signals upstream transit providers or scrubbing services to divert specific prefixes
- Targets only the impacted IPs, while leaving the rest of your traffic untouched
- Injects BGP route announcements or FlowSpec rules to steer traffic
- Tunneled Redirection
Traffic for the affected IPs is routed through a pre-configured GRE or IPsec tunnel, which terminates at the scrubbing provider. The tunnel itself is not created by FastNetMon, but FastNetMon controls when traffic is sent there. - Rollback After Mitigation
Once the attack subsides, FastNetMon automatically withdraws the diversion and restores normal routing—no manual intervention required.
Why This Matters
FastNetMon’s approach to scrubbing centre automation offers several key advantages:
- Lower latency: Your normal traffic doesn’t pass through the scrubbing provider unless necessary.
- Cost savings: You only use the scrubbing service during active attacks.
- Surgical mitigation: Only the affected services or IP ranges are diverted, avoiding broad or unnecessary filtering.
This model turns scrubbing into a precise, real-time defence mechanism—one that adapts dynamically to your network’s state without operator input.
Pros and Cons of Using a Scrubbing Centre
The Traditional Trade-Off
Scrubbing centres are powerful allies in defending against large-scale DDoS attacks. With their massive bandwidth, specialized filtering hardware, and global reach, they can absorb even multi-terabit floods and keep services online when under extreme pressure.
Traditionally, the safest way to use a scrubbing provider was to route all inbound traffic through them at all times—a model known as always-on scrubbing. While this ensures constant protection, it comes with some significant compromises:
- Traffic is always detoured through the scrubbing network, adding unavoidable latency—even when there’s no attack.
- Continuous use of the service can lead to high operational costs, especially when pricing is based on clean traffic volume.
- Since all traffic is inspected, there’s a higher risk of false positives, where legitimate users are inadvertently blocked or challenged.
For many organisations, this means paying a premium for protection they may only need occasionally—and dealing with the performance hit every day.
How FastNetMon Helps: The Best of Both Worlds
FastNetMon enables a smarter model: automated, on-demand diversion to the scrubbing centre only when an attack is actually happening.
With real-time flow analysis and programmable diversion logic, FastNetMon automatically:
- Detects DDoS attacks in seconds
- Diverts only the affected traffic or prefixes to the scrubbing provider
- Restores normal routing automatically once the threat subsides
This means you get all the benefits of scrubbing—scale, performance, and protection—without the drawbacks of always-on routing.
In short: FastNetMon gives you cloud-scale protection when you need it, and high-performance direct routing when you don’t.
Comparison table: Pros, Cons & How FastNetMon Improves the Model
| Aspect | Traditional Scrubbing Centers | FastNetMon’s Smart Automation |
|---|---|---|
| Attack Absorption Capacity | ✅ Absorbs massive volumetric attacks (100s of Gbps to Tbps) | ✅ Leverages same high-capacity infrastructure when needed |
| Filtering Capabilities | ✅ Advanced filtering (DPI, HTTPS inspection, bot detection, etc.) | ✅ Seamless integration with provider’s full filtering stack |
| Global Reach | ✅ Geographically distributed centres for low-latency global defence | ✅ Can divert traffic to nearest available scrubbing POP when required |
| Always-On Protection | ✅ All traffic filtered at all times | 🚫 Not needed — FastNetMon enables protection only when attack is detected |
| Latency Impact | ⚠️ Always-on rerouting adds baseline latency | ✅ Normal traffic takes fastest, direct path when not under attack |
| Cost Efficiency | ⚠️ Higher ongoing cost — billed on clean traffic or flat always-on rate | ✅ Pay-as-you-need protection — traffic diverted only during attacks |
| False Positives | ⚠️ Legitimate users can be blocked due to aggressive filtering | ✅ Only suspicious traffic is filtered — rest continues via normal route |
| Control & Flexibility | ⚠️ Vendor lock-in, limited dynamic control | ✅ Full control of diversion logic, thresholds, targets via BGP, FlowSpec, or API |
| Response Time | ⚠️ No distinction between normal and attack traffic — always filtered | ✅ Attack detection within seconds and automatic diversion/rollback without manual intervention |
| Prefix-Level Precision | ⚠️ May affect all services, even if only one IP is attacked | ✅ Only impacted prefixes or IPs are diverted, rest of traffic is unaffected |
Conclusion
DDoS scrubbing centers remain a cornerstone of modern network defense—offering unmatched scale and advanced filtering capabilities. However, traditional always-on scrubbing can introduce latency and cost challenges.
FastNetMon changes the game by automating on-demand scrubbing centre diversion, giving you cloud-scale protection only when you need it. This means faster performance, lower costs, and smarter, surgical mitigation—all without manual intervention. Ready to protect your network efficiently and effectively? Contact our team at sales@fastnetmon.com to learn how FastNetMon can transform your DDoS defence.