No Scrubs: The Architecture That Made Unmetered Mitigation Possible

In this article, John Graham-Cumming discusses the problems associated with using scrubbing centers or servers for DDoS mitigation services. He identifies three main issues: bandwidth, cost, and knowledge. The bandwidth problem arises from the need to have a large amount of network capacity available to handle massive attacks, which can be expensive and complicated to provide and maintain. The cost issue is due to the requirement for exotic network hardware in scrubbing centers, making DDoS mitigation services traditionally very expensive. Lastly, the knowledge problem involves the difficulty in distinguishing good from bad traffic as attackers become more sophisticated. Graham-Cumming argues that dedicated scrubbers can lead to building better software and improving overall performance under load. He explains how Cloudflare's approach eliminates the need for scrubbing centers and hardware, changing the cost of building a DDoS mitigation service significantly. By using low-cost or commodity networking equipment and automation, they have built a scalable network capable of handling attack traffic globally with low latency links. The article also highlights how Cloudflare's custom DDoS mitigation stack uses iptables and kernel bypass techniques to offload processing and handle large attacks without affecting their multi-tenant service. Additionally, the company has open-sourced various tools and contributed to projects like OpenResty for building L7 defenses. In conclusion, Cloudflare's DDoS mitigation architecture and custom software enable Unmetered Mitigation, allowing them to withstand the largest attacks while their network grows.