Stop the botnet at the subscriber's port — not after it floods your core
The defining DDoS problem on an access network in 2026 is no longer only what arrives from transit. It is the hundreds of thousands of hijacked home routers and IoT devices flooding outward — saturating uplinks, exhausting the BNG and CGNAT state tables, and getting the operator's own IP ranges blocklisted. BNGSOFT puts DDoS defence inside the access BNG itself, on an XDP/eBPF data plane: an inbound autoblock prefilter against incoming floods, and outbound botnet containment that catches a compromised line and rate-limits it at the very port it starts from — with no separate scrubbing appliance and no per-Gbps mitigation licence.
In the BNG
no separate scrubber
defence runs in the access data plane on XDP — nothing to backhaul, no extra box
Both ways
inbound + outbound
autoblock incoming floods, and contain compromised-CPE botnets leaving your network
Per subscriber
every line
detection and mitigation are per-port — not aggregate prefixes after the damage
No per-Gbps
commodity x86
protection scales with the box you already run, not a metered mitigation bill
The classic scrubbing model watches traffic coming in from transit. But the 2026 flood is born on your own subscriber lines — and by the time it reaches a scrubbing centre, it has already filled your uplink and your NAT tables. The cheapest packet to drop is the one you drop at the port it came from.
The threat moved onto your access ports
Through 2025–2026 a single IoT botnet family outcompeted essentially all others by enlisting ~300,000 compromised consumer routers, cameras and DVRs and pointing them outward. The operational damage lands on the access operator hosting the infected devices:
What happens
Outbound floods from your own subscribers
Record outbound floods exceeding 1.5 Tbps launched from end-customer premises.
High-volume UDP/SYN floods exhaust BNG and CGNAT state tables — the connection-tracking memory fills with attack flows.
Transit links choke on outbound garbage; adjacent, innocent subscribers on the same node degrade.
The operator's AS / IP ranges land on global blocklists — a reputation cost that outlasts the attack.
Why the old model misses it
Scrubbing is built for the wrong direction
Dedicated scrubbing is positioned at the peering / transit edge to clean traffic arriving from outside.
An outbound botnet flood is already inside your network — it has to cross your access ports and your core before it ever reaches a scrubber.
Per-prefix aggregate views don't pinpoint which subscriber line is the source.
The fix the industry recommends: drop it at your own edge, at the first hop.
Two directions, one data plane — defence on the subscriber port itself
Incoming floods are dropped by the inbound autoblock prefilter before they reach subscribers. A compromised line flooding outward is detected and quarantined at its own port — so the garbage never fills the NAT tables, never saturates the uplink, and never leaves under your IP range.
What runs in the data plane
Every control below executes in the XDP/eBPF fast path on the BNG itself — no appliance, no flow export round-trip, no scrubbing-centre backhaul.
Inbound
DDoS autoblock prefilter
Per-source packet-rate accounting in XDP; a source crossing the threshold is auto-added to a blocklist and dropped at line rate.
Protects the box and its subscribers from incoming floods without a flow-export detour.
Outbound · volume
Volumetric flood → quarantine
A subscriber generating a sustained high-rate outbound flood is scored in the data plane and escalated.
Catches the classic Aisuru-style high-volume blast from a single line.
Outbound · spread
Fan-out scanner → quarantine v3.5.11
A compromised CPE hitting many distinct destinations at high SYN rate is flagged — even at low volume the volumetric path would miss.
Now auto-feeds the same quarantine system (newly wired).
Source validation
Anti-spoof (BCP38)
Ingress source-address validation so a subscriber cannot spoof another network's addresses — the MANRS baseline.
Removes the spoofed-source reflection vector at the access edge.
Rate ceilings
UDP-PPS & connection rate
Per-subscriber UDP packets-per-second and new-connection-rate ceilings bound the blast a single line can produce.
Self-protection
Upload-protect
Always-on machine self-protection so abusive upstream traffic cannot starve the BNG's own control path.
Quarantine is a floor, not a cut. When a line is contained it is dropped to a rate-limited tier — the subscriber keeps reduced service while the abuse is throttled — and the hold auto-releases once the behaviour stops. Detection runs observe-first: an operator watches what would be actioned before enabling enforcement.
How the big platforms do it — and where BNGSOFT fits
The major router vendors deliver DDoS protection as a separate tier bolted onto the core/peering edge: a dedicated mitigation appliance or scrubbing system, an analytics platform, and capacity licensed by the gigabit.
Juniper + Corero
Router + SmartWall appliance
MX-Series routers paired with the Corero SmartWall Threat Defense Director — a separate appliance filtering at the network edge, scaling 50 Gbps–40 Tbps.
Nokia Deepfield Defender
Routers + dedicated scrubbers
Uses IP routers as first-line instruments, then orchestrates dedicated scrubbing systems (e.g. the 7750 Defender Mitigation System) plus the Deepfield analytics platform for advanced attacks.
These are formidable platforms for transit-edge volumetric absorption. But they are positioned to clean traffic arriving from outside, at aggregate scale, on separate hardware with metered capacity — a different job, in a different place, from stopping a hijacked subscriber line at its own port.
Dimension
Traditional scrubbing stack
BNGSOFT edge-in-BNG
Where it sits
Peering / transit edge — appliance + scrubbing centre
Inside the access BNG, on the subscriber port
Primary direction
Inbound / transit volumetric
Inbound prefilter + outbound botnet at the source
Extra hardware
Dedicated DDoS appliance / scrubber alongside the router
None — same commodity BNG, in XDP
Granularity
Aggregate flows / prefixes
Per subscriber, per line
Licensing model
Per-Gbps mitigation capacity + analytics
Included; scales with the box
Aisuru-class outbound
Scrub after it has crossed core & backhauled
Contained at first hop — protects your own tables
The fair comparison. For multi-Tbps transit-edge volumetric absorption against external attackers, dedicated scrubbing platforms — Corero, Nokia Deepfield, NETSCOUT Arbor — operate at a scale a single access BNG does not replace, and a large operator should run them. BNGSOFT's edge protection is complementary, not a substitute: it stops abuse at the subscriber source, shields the BNG and CGNAT state tables, and cuts the volume that ever reaches — or leaves through — your core. The strongest posture is both: edge containment at the access tier, core scrubbing for the transit tier. What BNGSOFT removes is the need for a separate box and a per-Gbps licence to do the access-edge part.
Where the cost goes (illustrative — the access-edge DDoS function, not a price quote)
The traditional model stacks a dedicated appliance, a scrubbing/analytics tier and per-gigabit licensing on top of the router to cover the edge. BNGSOFT folds the access-edge DDoS function into the BNG you already run — one box, in software.
Part of the BNGSOFT edge-security suite
DDoS containment sits alongside the rest of the data-plane security and intelligence BNGSOFT already runs:
Passive per-flow loss + access/transit RTT in XDP — the same telemetry that spots anomalies.
Autonomous QoE
Decide
Learns each subscriber's own normal and flags the lines that drift — no fixed thresholds.
Drop the packet where it's cheapest — at the port it came from
The 2026 botnet problem is an access-edge problem: the floods originate on subscriber lines, exhaust the BNG and CGNAT tables, and damage the operator's reputation before any core scrubber sees them. BNGSOFT answers it in the BNG — inbound autoblock and outbound containment, per subscriber, on commodity x86, with the proven safety pattern of observe-first and a rate-limit floor rather than a hard cut.
Run it alongside your transit-edge scrubbing, not instead of it — edge containment plus core absorption is the complete posture. What you don't need is a separate appliance and a per-Gbps licence to cover the access edge.
Want the deep dive? We'll walk through the detection signals, the quarantine lifecycle, and the observe-to-enforce rollout on a node running real traffic.
Sources & honest framing: This is a security and operations brief, not a benchmark report; no throughput, mitigation-capacity, or price figures are claimed for BNGSOFT. Threat context (a ~300,000-device consumer IoT botnet driving record outbound floods exceeding 1.5 Tbps from end-customer premises, exhausting BNG/CGNAT state tables, degrading adjacent subscribers, and causing operator IP-range blocklisting) reflects publicly reported 2025–2026 industry observations. Competitor descriptions reflect each vendor's own public positioning: the Juniper + Corero joint solution pairs MX-Series routers with the Corero SmartWall Threat Defense Director appliance (publicly stated scaling 50 Gbps–40 Tbps); Nokia Deepfield Defender uses IP routers as first-line instruments and orchestrates dedicated scrubbing systems (e.g. the 7750 Defender Mitigation System) with the Deepfield analytics platform. These are capable, large-scale transit-edge platforms and the brief positions BNGSOFT's access-edge protection as complementary to, not a replacement for, dedicated scrubbing. BNGSOFT data-plane controls referenced — inbound DDoS autoblock prefilter, volumetric outbound-flood scoring with auto-quarantine, fan-out scanner detection wired to quarantine (v3.5.11), anti-spoof (BCP38) source-address validation, per-subscriber UDP-PPS and connection-rate ceilings, and always-on upload self-protection — are implemented features; enforcement actions default to observe-first and quarantine applies a rate-limit floor (not a disconnect) with automatic release. The diagrams are conceptual and illustrate architecture, not measured results. Related per-topic briefs — Flow Intelligence, Autonomous QoE, CGNAT Arena, Subscriber Experience — are available alongside this guide.