ddos cloud-computing: Updated Sun, 02 Oct 2022 06:35:24 GMT

What happens to malicious traffic in a scrubbing center during a DDoS attack?

My understanding of a scrubbing center is when a DDoS is underway, all traffic gets routed to a scrubbing center where traffic is analyzed and all legitimate traffic is then sent to the targeted network while the malicious traffic is not.

What happens to that malicious traffic and/or where does it go to?

Solution

The malicious traffic is effectively firewalled. That means that the sending system either receives a TCP RST or an ICMP response with similar semantics, or the packets are simply just dropped.

If the attack involves a legitimate connection (as opposed to just packets with a fake source address), then dropping the incoming packets will at some point prevent a legitimate TCP implementation from sending more data since it will exhaust the window without receiving any ACKs. If the attack is due to UDP or ICMP packets, there is no connection, and dropping them will generally be the right thing to do.

So typically, the traffic goes nowhere: the packets are just discarded.

Comments (1)

+2 – or they go to a black hole (slightly different than being 'dropped') cloudflare.com/en-ca/learning/ddos/glossary/… and some might go to a honeypot/sandbox for further analysis. — Aug 21, 2022 at 15:29

References

https://security.stackexchange.com/questions/264242