How does BGP scrubbing actually mitigate a DDoS attack?

BGP scrubbing mitigates DDoS attacks by using the Border Gateway Protocol to reroute your traffic through a provider's filtering infrastructure, where malicious packets are dropped before clean traffic is forwarded back to you. The core mechanism is BGP hijacking: during an attack, your mitigation provider announces your IP prefixes from their scrubbing centers with a higher BGP preference (a shorter AS_PATH or higher LOCAL_PREF). This makes their route the most attractive path in the global routing table, diverting all traffic destined for your network to them. At the scrubbing center, traffic undergoes deep packet inspection, rate limiting, and other filtering techniques to identify and drop attack traffic. The cleansed traffic is then sent to your network, typically over a GRE tunnel or private backbone, using a more specific route. Your router configuration like `neighbor x.x.x.x route-map SCALE in` is used to accept these mitigation routes only during an attack, ensuring normal routing resumes afterward.