Infrastructure protection services allow organizations to tunnel all ingress traffic (traffic from the Internet to the origin network) through a scrubbing centers network. One or more edge routers of an organization's network use the Border Gateway Protocol (BGP) to announce subnets and IP ranges to be advertised by the scrubbing centers, thus forcing all incoming traffic via the Internet routes to point at the scrubbing centers network instead of pointing at the organizations data center that forms the network infrastructure.
Infrastructure protection services use Generic Routing Encapsulation (GRE) tunneling to forward the incoming traffic to the organization's network after the traffic has been scrubbed from any DDoS attack. The incoming/outgoing Internet traffic for an organization can be routed through scrubbing centers in two ways. The first is by an organization's edge router announcing that the scrubbing centers' autonomous system (AS) is the owner of the organization's IP range. The second is done by the scrubbing centers edge routers announcing that they are the owner of the organization's IP range. Both of these methods lead to the customer traffic being routed through the scrubbing centers and scrubbed prior to reaching the organization's data center.
In order to use the infrastructure protection service, an organization must own a minimum number of IP addresses (for example, 256 IP addresses). Thus, an organization with IP addresses less than the minimum number required for traditional infrastructure protection services may not be able to avail the service, and thus may be prone to DDoS attacks. Additionally, existing systems require that each protected network manually establish a dedicated GRE tunnel with each of the scrubbing centers. This is very difficult for smaller organizations that lack the proper network administration skills.
Prior solutions have been sub-optimal, including: On-premises solutions, which are rapidly losing their advantage as attacks get larger, and bots get more human-like. It makes more sense to mount a community defense, in the cloud. However, cloud-based solutions are better equipped to handle the changing attack environment, hut require that you protect an entire Class C network. ISP clean pipe solutions lack capacity to handle just average size attacks, especially when it comes to packet-based attacks. Security isn't always a core capability of an ISP and they often don't have the security expertise of a dedicated DDoS mitigation provider. Proxy-based solutions completely hide the client IP, which breaks many applications and completely bypasses the firewall. Hybrid solutions are transient, only kicking in when a sustained attack occurs.