I understand, that traffic is redirected to a scrubbing center during a DDoS to differentiate between malicious and legitimate traffic as has been explained in this post. However, from a technical point of view scrubbing centers seem like a black box to me.
What is really going on at a scrubbing center? Which methods are used and are there any statistics on the efficiency?
At the scrubbing center there are multiple layers of protection through routers, different mitigation appliances and use of high capacity bandwidth links that distribute the traffic. The difference is, upon attack, this traffic is analyzed remotely. Generally this involves the victim to route their traffic via a BGP announcement to the mitigation service provider, requiring an ASN or making a DNS change to point the attacked domain to an IP address within the mitigation provider's network. Either method should require some baselining of normal traffic to help generate a profile and reduce collateral damage. Before choosing a provider, one should request a "stress test" to confirm the provider's mitigation abilities.
