What 'Clean Traffic Filtering' Means in Modern Networks

Clean traffic filtering (also called traffic scrubbing) refers to separating legitimate traffic from attack traffic and forwarding only the clean traffic to its destination. The term comes from the idea of passing traffic through a 'scrubbing center' that strips out the bad packets.

Where it happens

• Network-level scrubbing: BGP reroutes traffic to scrubbing centers during an attack. Attack traffic is dropped; clean traffic is forwarded via GRE tunnel or direct routing.
• Edge proxy filtering: a reverse proxy inspects traffic at the application layer, scoring and dropping requests that match attack patterns before they reach origin.
• On-host filtering: eBPF/XDP programs on the server itself drop malformed or rate-limit-exceeding packets at the NIC level, before the kernel network stack processes them.

What gets filtered

At Layer 3/4: malformed packets, spoofed source IPs, SYN floods, amplification reflection traffic. At Layer 7: requests matching WAF signatures, clients exceeding rate limits, sessions with bot-like behavioral scores, and known malicious IP ranges.

The latency trade-off

Routing traffic through a scrubbing center adds latency. Always-on edge filtering (like a reverse proxy) avoids this by sitting permanently in the traffic path rather than only engaging during an attack.