How Traffic Cleaning Works

This page provides a detailed walkthrough of the DDoS traffic cleaning pipeline. For a high-level overview, see DDoS Protection.

Cleaning Pipeline

When the analysis system determines that an EIP is under attack, the following sequence runs automatically.

Step 1: Continuous Monitoring & Detection

The analysis system monitors traffic for every protected EIP in near-real time, tracking three inbound metrics: BPS (bits per second), PPS (packets per second), and InCPS (inbound connections per second). Each EIP has thresholds for these metrics — system defaults, or custom values you configure. When any metric crosses its threshold, cleaning begins automatically.

See Traffic Metrics for a full explanation of each metric and example attack scenarios.

Step 2: BGP Route Diversion

Once an attack is confirmed, traffic destined for the affected EIP is automatically rerouted to the cleaning center within seconds. No DNS changes or manual intervention are required.

Step 3: Traffic Scrubbing

The cleaning center processes diverted traffic in two stages.

First, hardware-level policing drops traffic that exceeds rate thresholds before it reaches software processing — this handles the highest-volume attacks at line rate.

Second, a deep-packet-inspection engine applies your configured policies: protocol filtering, fingerprint matching, geographic rules, and IP allow/block lists. Traffic matching a drop rule is discarded; traffic matching a rate-limit rule is throttled; everything else is marked clean and forwarded to your instance.

Step 4: Clean Traffic Re-injection

After scrubbing, clean traffic is forwarded back to your instance via the normal routing path. Bandwidth metering is enforced at this stage to ensure re-injected traffic stays within your subscribed bandwidth limits.

Step 5: Cleaning Conclusion & Escalation

The system monitors traffic throughout the cleaning period. When attack traffic subsides and metrics return below thresholds, the BGP diversion route is withdrawn and traffic reverts to the normal path. If the attack intensifies beyond the cleaning center's capacity, the system escalates to full blackhole routing as a last resort.

You are notified at each stage: when cleaning begins, when it ends, and if escalation to blackhole occurs. See DDoS Protection — Cleaning Event Lifecycle for state definitions.

Architecture Diagram

The diagram below illustrates the complete traffic cleaning pipeline, from initial detection through BGP diversion, scrubbing, and re-injection.

Key flows:

• Green (solid): Clean or normal traffic following the standard forwarding path.

• Red (dashed): Attack traffic diverted via BGP to the cleaning center.

• Orange (dashed): BGP control signals between the control plane and upstream routers.

Cleaning center components:

• Hardware Acceleration: Programmable switches perform line-rate BPS/PPS policing, handling the highest-volume attacks before software processing.

• Scrubbing Device: Deep-packet-inspection engine applying protocol filtering, fingerprint matching, port range filtering, and geographic rules.

• Policy Engine: Applies customer-configured policies — IP allow/block lists, rate limits, session limits, and geo-blocking rules.

• Forwarding Layer: Re-injects clean traffic back to the origin via encapsulated tunnels, with bandwidth metering enforcement.