When evaluating DDoS mitigation providers, the most important question isn't "how much capacity do you have?" It's "how is that capacity deployed?"
The answer reveals a fundamental architectural difference that affects latency, reliability, cost, and time-to-mitigate. Let's break it down.
How traditional scrubbing works
Most DDoS mitigation providers use a diversion-based model. During normal operation, your traffic flows directly to your infrastructure. When an attack is detected (either manually or via monitoring), your traffic is "diverted" to a scrubbing center — typically by re-announcing your IP prefixes via BGP to route traffic through the provider's network.
The scrubbing center filters out attack traffic and forwards clean traffic back to you, usually via GRE tunnel or direct interconnect.
The problems with diversion
Detection delay: Someone (or something) has to notice the attack and trigger diversion. This takes minutes at best, and much longer if it requires manual intervention.
BGP propagation delay: Once diversion is triggered, it takes 2-5 minutes for the BGP route changes to propagate globally. During this time, you're absorbing the full attack.
Added latency: All your traffic — clean and malicious — now takes a detour through the scrubbing center. This adds 10-50ms of latency depending on the geographic distance.
Asymmetric routing: Return traffic doesn't flow through the scrubbing center, creating asymmetric paths that can confuse stateful devices and break certain protocols.
Failback risk: When the attack ends, you need to fail back to direct routing. This is another BGP change with another propagation delay, and if done prematurely, the attack can resume.
How Wirescope works
Wirescope's architecture is fundamentally different. There is no diversion because your traffic always flows through our network. We're your transit provider and your DDoS mitigation provider. Same network. Same hardware. Same path.
Always-on: Mitigation doesn't need to be "activated." Every packet is inspected at the edge, in real time, from day one.
Zero added latency: Because we're inline, clean traffic takes the same path whether or not an attack is in progress. No detour. No extra hops.
Instant mitigation: When an attack begins, our hardware filters engage in under 100ms. No BGP changes. No propagation delay. No human in the loop.
Symmetric: All traffic — inbound and outbound — flows through our network, eliminating asymmetric routing issues.
The numbers
| Metric | Traditional Scrubbing | Wirescope Inline |
|---|---|---|
| Time to mitigate | 2-10 minutes | <100ms |
| Added latency (clean traffic) | 10-50ms | 0ms |
| BGP changes required | Yes (every event) | None |
| Manual intervention | Often required | Never |
| Failback risk | Yes | N/A |
The bottom line
Architecture isn't a detail — it's the foundation. You can't patch diversion-based scrubbing to match the performance of inline mitigation. The physics don't allow it.
When you're evaluating DDoS mitigation, don't just compare capacity numbers. Compare architectures. The difference will define your experience during the attack that matters most.