How SCION’s reduced attack surface prevents DDoS attacks | Anapaya

Distributed denial-of-service (DDOS) attacks are getting larger, faster, and more expensive to absorb. Compared to the previous year, in 2025, the total number of DDoS attacks worldwide increased by 198%. And the cause of this problem is attack surface. On today’s Internet, network endpoints and paths are discoverable by design, which gives attackers something to target in the first place.

That is why attack surface reduction matters. Instead of accepting that every exposed service will eventually be flooded or disrupted, a stronger approach is to reduce how much of your network is visible and reachable at all. Traditional DDoS defenses still play an important role, but most are reactive, helping only after attack traffic is already on its way. Prevention is better than mitigation and that is the path SCION takes: it reduces the network attack surface so unauthorized entities cannot discover or reach the service they want to attack. Anapaya’s own SCION Secure Access Groups is built around this principle, creating invite-only groups in which endpoints are visible only to authorized members.

For network architects, and security operation center (SOC) leaders, this distinction is important. If the goal is enterprise resilience, the question is not only how to mitigate an attack, but how to make the network harder to attack in the first place.

In this blog, we’ll look at why DDoS prevention based on network attack surface reduction is more effective than traditional solutions, tying back to a few famous examples of DDoS attacks that show how much this matters for network resilience.

What is attack surface reduction and why does it matter?

Attack surface reduction is a proactive security approach that minimizes the number of entry points available to attackers such as IP addresses, open ports, or publicly routable prefixes. In networking, that means making infrastructure unreachable to unauthorized entities to begin with.

In practice, most network security teams spend significant effort hardening systems that are still reachable via the public Internet. They add overlays on the network such as firewalls, filtering rules, scrubbing services, rate limits, and traffic analysis. Those tools are useful, but they do not remove the underlying exposure. If an attacker can still discover the endpoint, resolve the route, and send traffic toward it, the organization remains in a reactive position.

That is why attack surface reduction is a more fundamental approach – it essentially disrupts a cyber criminal’s ability to see your endpoints. Fewer exposed endpoints and paths mean fewer opportunities for DDoS attacks. At the networking layer, this is especially powerful because it changes the conditions under which an attacker can even attempt a volumetric attack. Instead of setting up more defensive layers around a visible target, the ideal architecture simply removes the target from malicious actors’ line of sight.

How do DDoS attacks exploit today’s Internet?

A natural next step is to ask why attack surfaces are so large on today’s Internet in the first place. The current Internet was built for open and flexible connectivity – as in sharing anything across all networks – not selective invisibility. The answer also lies partly in the Internet’s routing model: BGP. Public reachability is not accidental; it is a built-in feature of how networks exchange path information globally. Protocols such as BGP were designed for openness and interoperability, not for minimizing attack surface or restricting visibility to authorized participants. BGP is also built on implicit trust – the network and its participants was initially so contained that trust was simply there. Today, the Internet has reached such a size that trust must be declared, but the system is not designed to declare it. This is why the public Internet may be highly effective for open communication, but simultaneously creates a huge network attack surface.

DDoS attacks exploit the surface exposure in several ways. Some overwhelm bandwidth with sheer volume until your web server crashes; this is a volumetric attack. Protocol-based attacks exploit weaknesses in the way networks communicate, overwhelming servers with half-open connections, a typical example are SYN flood attacks: attackers initiate thousands of fake connection requests that never complete, leaving systems stuck. Application-based attacks flood websites with an avalanche of seemingly legitimate requests designed to paralyze services. CISA describes DDoS as multiple machines operating together to attack a target, overwhelming the target’s ability to respond.

Recent incidents show that DDoS attacks are still effective because critical public-facing systems remain reachable by design. In February 2026, Deutsche Bahn said a DDoS attack disrupted its website, DB Navigator app, and timetable information services, affecting customers trying to search connections and book tickets. Around the same time, Italian authorities reported DDoS activity attributed to the pro-Russian group Noname057(16), targeting Winter Olympics-related websites and hotels tied to the Milano Cortina 2026 Games. In both cases, the attackers did not need to breach an internal system to create disruption. They exploited the fact that essential digital services were visible and accessible from the open Internet. Website protection matters more than ever as explained in the blog “How to secure web services anywhere with SCION and Anapaya GATE.”

These cases fit a preexisting pattern. As our DDoS infographic shows, some of the most famous DDoS attacks in history have repeatedly exploited the visibility of Internet-facing infrastructure, from the 2016 Dyn attack to later record-setting campaigns against Google, AWS, and Microsoft Azure. The scale has evolved from hundreds of gigabits per second to multi-terabit attacks, but the logic remains the same: if attackers can discover and reach the target, they can attack.

That is the architectural issue at the heart of DDoS: when endpoints and service paths are openly reachable, attackers do not need deep access or complex exploitation to disrupt an organization – they only need enough visibility and scale to overwhelm the exposed surface.

-> Download the full DDoS infographic of attacks over time here

Why traditional DDoS defenses are not enough

Let’s look at the most common solutions to mitigate DDoS attacks and their shortfalls.

• Scrubbing centers divert attack traffic to specialized filtering infrastructure, separating malicious packets from legitimate ones before forwarding clean traffic to its destination. In theory, this works, in practice, it's inherently reactive. Mitigation only begins after the attack is detected and traffic is rerouted, meaning a window of disruption is part of the architecture. Add enterprise-level costs that can run into thousands per month, imperfect classification that lets sophisticated traffic slip through, and the very real risk of vendor concentration: if a major scrubbing provider goes down, it can take large portions of the Internet with it. This service is provided by Cloudflare, Akamai, Arbor, or ISP DDoS protection.
  
  
• CDN-based protection distributes traffic across geographically dispersed nodes, reducing the impact of volumetric attacks on any single point. This works well for web application traffic but offers little to no protection for non-HTTP services, private WAN connectivity, or infrastructure that cannot be placed behind a CDN. It's a partial solution presented as a complete one.
  
  
• Rate limiting and IP-based blocking at the ISP or network edge can blunt volumetric impact but are easily circumvented by botnet-driven attacks that distribute traffic across thousands or millions of source IPs. Blocking at scale also introduces collateral damage, aka legitimate users caught in the crossfire.
  
  
• Firewalls and VPNs compound the problem rather than solve it. They are access control tools, not DDoS mitigation tools. Add the fact that VPN hubs are themselves Internet-facing endpoints with significant attack surface, increasingly targeted through AI-accelerated zero-day exploitation, and this compounds their deficiencies as defense mechanisms.

These methods share the same approach: expose, then defend. The endpoint is visible; protection is layered on top. A fundamentally different model starts from the opposite assumption that infrastructure should be invisible to attackers in the first place, eliminating the attack surface before any traffic control is needed.

How SCION reduces the network attack surface

SCION rebuilds the connectivity model from the ground up, reducing the attack surface of enterprise network infrastructure and web services and applications. Our SCION-powered solutions do this by intentionally limiting endpoint and path visibility to authorized participants. Since only selected entities are allowed to see endpoints, the likelihood that someone within this approved network would launch a volumetric attack is greatly limited. And on the off chance that they do, on the SCION Internet, the IP address of the perpetrator could easily be traced to its origin.

SCION also improves BGP hijacking prevention by replacing implicit trust with cryptographically verified path control. In a standard IP network, routing information is globally propagated via BGP: anyone can look up which IP prefixes are reachable and begin sending traffic to them. SCION replaces this with cryptographically verified path segments, SCION replaces this with cryptographically verified path segments, and with Secure Access Groups, access visibility is restricted and access is explicitly granted, not globally advertised by default. If an attacker cannot discover a path to your endpoint, they cannot target it as DDoS attacks require a destination.

Let’s look at how to reduce network attack surface with SCION across two specific use cases: enterprise network infrastructure and web services and applications.

Use case 1: Enterprise WAN

For enterprise WAN connectivity, SCION's Secure Access Group, a feature of Anapaya EDGE, operationalizes this principle directly. Organizations can register network paths that are visible only to explicitly authorized participants, authenticated at the SCION Autonomous System level via cryptographic certificates. From the perspective of the public Internet, these paths simply do not exist. There is no publicly advertised endpoint to discover or flood. A botnet generating terabits of traffic has nothing to aim at.

This invite-only model also addresses BGP hijacking: since path segments are cryptographically signed and access-controlled, an attacker cannot inject false routing information to intercept or redirect traffic.

Read more about this in our blog “SCION as an alternative to MPLS, SD-WAN, and VPNs.”

Use case 2: Web service or application

For public-facing services, instead of announcing service endpoints to the entire Internet, organizations can select exactly which SCIONabled ISPs their endpoints are visible to and only their users are allowed to reach the service with Anapaya GATE. Beyond them, the endpoint is invisible.

Moreover, the GATE operates at the network level on the SCION Internet. GATE traffic is controlled at the ISP level: incoming and outgoing traffic is whitelisted before it reaches the customer network. By allowing traffic to a service only from trusted ISPs and selected GATEs, malicious traffic is prevented from reaching the server and thus provides a higher level of security for said server. Plus, it is invisible to the rest of the Internet. Since Anapaya GATE makes a network invisible to anyone outside the trusted ISPs within the SCION network, it also renders IP spoofing impossible.

A four-month honeypot study conducted over the SCION Internet demonstrated attack surface reduction of up to 99.99% compared to conventional IP exposure. That is not a marginal improvement in filtering, it is the difference between an endpoint that exists as a target and one that does not.

What does this mean for enterprise network resilience?

Attack surface reduction is a story about security and resilience. By eliminating the exposure of endpoints that DDoS attacks target, SCION counters one of the primary causes of unplanned network downtime for enterprise WAN and web service connections.

Network resilience is more than just ensuring business continuity, it has become a strategic imperative for business and critical infrastructure operators alike. So much so that governments worldwide are now enforcing regulations such as DORA and NIS2 to ensure the resilience of mission-critical sectors upon which the rest of us depend, and which face the most severe cyberattacks, as explained in our blog “Top 5 critical infrastructure attacks.” This starts with reducing the attack surface of endpoints – by making them invisible to cyberattacks like DDoS.

The conversation around sovereignty is also tied to the concept of resilience: having a technology stack that is diverse in provider composition is also a guarantee of the business's ability to reduce concentration risk by diversifying its providers for long-term sustainability.

SCION offers the technology benefits of having an architecture that is both multi-path and multi-provider. If a path fails it is redirected in sub-seconds to another one and if an ISP has an outage, it doesn’t affect the running of the connectivity.

By reducing exposure, diversifying paths, and removing single points of failure, SCION helps enterprises stay reachable to trusted users while remaining significantly harder for attackers to target. In short, SCION turns resilience into an architectural property rather than a reactive response.