Edge DDoS Protection · in-BNG on XDP · inbound autoblock + outbound botnet containment
Security Brief · Edge DDoS Protection

Stop the botnet at the subscriber's port — not after it floods your core

The defining DDoS problem on an access network in 2026 is no longer only what arrives from transit. It is the hundreds of thousands of hijacked home routers and IoT devices flooding outward — saturating uplinks, exhausting the BNG and CGNAT state tables, and getting the operator's own IP ranges blocklisted. BNGSOFT puts DDoS defence inside the access BNG itself, on an XDP/eBPF data plane: an inbound autoblock prefilter against incoming floods, and outbound botnet containment that catches a compromised line and rate-limits it at the very port it starts from — with no separate scrubbing appliance and no per-Gbps mitigation licence.
In the BNG
no separate scrubber
defence runs in the access data plane on XDP — nothing to backhaul, no extra box
Both ways
inbound + outbound
autoblock incoming floods, and contain compromised-CPE botnets leaving your network
Per subscriber
every line
detection and mitigation are per-port — not aggregate prefixes after the damage
No per-Gbps
commodity x86
protection scales with the box you already run, not a metered mitigation bill
The classic scrubbing model watches traffic coming in from transit. But the 2026 flood is born on your own subscriber lines — and by the time it reaches a scrubbing centre, it has already filled your uplink and your NAT tables. The cheapest packet to drop is the one you drop at the port it came from.

The threat moved onto your access ports

Through 2025–2026 a single IoT botnet family outcompeted essentially all others by enlisting ~300,000 compromised consumer routers, cameras and DVRs and pointing them outward. The operational damage lands on the access operator hosting the infected devices:

What happens

Outbound floods from your own subscribers

  • Record outbound floods exceeding 1.5 Tbps launched from end-customer premises.
  • High-volume UDP/SYN floods exhaust BNG and CGNAT state tables — the connection-tracking memory fills with attack flows.
  • Transit links choke on outbound garbage; adjacent, innocent subscribers on the same node degrade.
  • The operator's AS / IP ranges land on global blocklists — a reputation cost that outlasts the attack.
Why the old model misses it

Scrubbing is built for the wrong direction

  • Dedicated scrubbing is positioned at the peering / transit edge to clean traffic arriving from outside.
  • An outbound botnet flood is already inside your network — it has to cross your access ports and your core before it ever reaches a scrubber.
  • Per-prefix aggregate views don't pinpoint which subscriber line is the source.
  • The fix the industry recommends: drop it at your own edge, at the first hop.
Two directions, one data plane — defence on the subscriber port itself
Subscriber CPE home routers · IoT BNGSOFT BNG XDP / eBPF data plane Internet transit · peers Inbound autoblock prefilter Outbound volumetric + fan-out detect → quarantine incoming flood clean traffic only compromised CPE flood rate-limited at source protects: NAT tables · uplink · IP reputation · neighbours
Incoming floods are dropped by the inbound autoblock prefilter before they reach subscribers. A compromised line flooding outward is detected and quarantined at its own port — so the garbage never fills the NAT tables, never saturates the uplink, and never leaves under your IP range.

What runs in the data plane

Every control below executes in the XDP/eBPF fast path on the BNG itself — no appliance, no flow export round-trip, no scrubbing-centre backhaul.

Inbound

DDoS autoblock prefilter

  • Per-source packet-rate accounting in XDP; a source crossing the threshold is auto-added to a blocklist and dropped at line rate.
  • Protects the box and its subscribers from incoming floods without a flow-export detour.
Outbound · volume

Volumetric flood → quarantine

  • A subscriber generating a sustained high-rate outbound flood is scored in the data plane and escalated.
  • Catches the classic Aisuru-style high-volume blast from a single line.
Outbound · spread

Fan-out scanner → quarantine v3.5.11

  • A compromised CPE hitting many distinct destinations at high SYN rate is flagged — even at low volume the volumetric path would miss.
  • Now auto-feeds the same quarantine system (newly wired).
Source validation

Anti-spoof (BCP38)

  • Ingress source-address validation so a subscriber cannot spoof another network's addresses — the MANRS baseline.
  • Removes the spoofed-source reflection vector at the access edge.
Rate ceilings

UDP-PPS & connection rate

  • Per-subscriber UDP packets-per-second and new-connection-rate ceilings bound the blast a single line can produce.
Self-protection

Upload-protect

  • Always-on machine self-protection so abusive upstream traffic cannot starve the BNG's own control path.
Quarantine is a floor, not a cut. When a line is contained it is dropped to a rate-limited tier — the subscriber keeps reduced service while the abuse is throttled — and the hold auto-releases once the behaviour stops. Detection runs observe-first: an operator watches what would be actioned before enabling enforcement.

How the big platforms do it — and where BNGSOFT fits

The major router vendors deliver DDoS protection as a separate tier bolted onto the core/peering edge: a dedicated mitigation appliance or scrubbing system, an analytics platform, and capacity licensed by the gigabit.

Juniper + Corero

Router + SmartWall appliance

  • MX-Series routers paired with the Corero SmartWall Threat Defense Director — a separate appliance filtering at the network edge, scaling 50 Gbps–40 Tbps.
Nokia Deepfield Defender

Routers + dedicated scrubbers

  • Uses IP routers as first-line instruments, then orchestrates dedicated scrubbing systems (e.g. the 7750 Defender Mitigation System) plus the Deepfield analytics platform for advanced attacks.

These are formidable platforms for transit-edge volumetric absorption. But they are positioned to clean traffic arriving from outside, at aggregate scale, on separate hardware with metered capacity — a different job, in a different place, from stopping a hijacked subscriber line at its own port.

DimensionTraditional scrubbing stackBNGSOFT edge-in-BNG
Where it sitsPeering / transit edge — appliance + scrubbing centreInside the access BNG, on the subscriber port
Primary directionInbound / transit volumetricInbound prefilter + outbound botnet at the source
Extra hardwareDedicated DDoS appliance / scrubber alongside the routerNone — same commodity BNG, in XDP
GranularityAggregate flows / prefixesPer subscriber, per line
Licensing modelPer-Gbps mitigation capacity + analyticsIncluded; scales with the box
Aisuru-class outboundScrub after it has crossed core & backhauledContained at first hop — protects your own tables
The fair comparison. For multi-Tbps transit-edge volumetric absorption against external attackers, dedicated scrubbing platforms — Corero, Nokia Deepfield, NETSCOUT Arbor — operate at a scale a single access BNG does not replace, and a large operator should run them. BNGSOFT's edge protection is complementary, not a substitute: it stops abuse at the subscriber source, shields the BNG and CGNAT state tables, and cuts the volume that ever reaches — or leaves through — your core. The strongest posture is both: edge containment at the access tier, core scrubbing for the transit tier. What BNGSOFT removes is the need for a separate box and a per-Gbps licence to do the access-edge part.
Where the cost goes (illustrative — the access-edge DDoS function, not a price quote)
Traditional access-edge DDoS router / BNG DDoS appliance scrubber / analytics per-Gbps licence BNGSOFT edge-in-BNG commodity BNG DDoS in XDP — included no extra box · no licence
The traditional model stacks a dedicated appliance, a scrubbing/analytics tier and per-gigabit licensing on top of the router to cover the edge. BNGSOFT folds the access-edge DDoS function into the BNG you already run — one box, in software.

Part of the BNGSOFT edge-security suite

DDoS containment sits alongside the rest of the data-plane security and intelligence BNGSOFT already runs:

Edge security

Defend

  • Anti-spoof (BCP38), inbound autoblock, outbound botnet containment, auto-quarantine.
Flow Intelligence

Measure

  • Passive per-flow loss + access/transit RTT in XDP — the same telemetry that spots anomalies.
Autonomous QoE

Decide

  • Learns each subscriber's own normal and flags the lines that drift — no fixed thresholds.

Drop the packet where it's cheapest — at the port it came from

The 2026 botnet problem is an access-edge problem: the floods originate on subscriber lines, exhaust the BNG and CGNAT tables, and damage the operator's reputation before any core scrubber sees them. BNGSOFT answers it in the BNG — inbound autoblock and outbound containment, per subscriber, on commodity x86, with the proven safety pattern of observe-first and a rate-limit floor rather than a hard cut.

Run it alongside your transit-edge scrubbing, not instead of it — edge containment plus core absorption is the complete posture. What you don't need is a separate appliance and a per-Gbps licence to cover the access edge.

Want the deep dive? We'll walk through the detection signals, the quarantine lifecycle, and the observe-to-enforce rollout on a node running real traffic.

Sources & honest framing: This is a security and operations brief, not a benchmark report; no throughput, mitigation-capacity, or price figures are claimed for BNGSOFT. Threat context (a ~300,000-device consumer IoT botnet driving record outbound floods exceeding 1.5 Tbps from end-customer premises, exhausting BNG/CGNAT state tables, degrading adjacent subscribers, and causing operator IP-range blocklisting) reflects publicly reported 2025–2026 industry observations. Competitor descriptions reflect each vendor's own public positioning: the Juniper + Corero joint solution pairs MX-Series routers with the Corero SmartWall Threat Defense Director appliance (publicly stated scaling 50 Gbps–40 Tbps); Nokia Deepfield Defender uses IP routers as first-line instruments and orchestrates dedicated scrubbing systems (e.g. the 7750 Defender Mitigation System) with the Deepfield analytics platform. These are capable, large-scale transit-edge platforms and the brief positions BNGSOFT's access-edge protection as complementary to, not a replacement for, dedicated scrubbing. BNGSOFT data-plane controls referenced — inbound DDoS autoblock prefilter, volumetric outbound-flood scoring with auto-quarantine, fan-out scanner detection wired to quarantine (v3.5.11), anti-spoof (BCP38) source-address validation, per-subscriber UDP-PPS and connection-rate ceilings, and always-on upload self-protection — are implemented features; enforcement actions default to observe-first and quarantine applies a rate-limit floor (not a disconnect) with automatic release. The diagrams are conceptual and illustrate architecture, not measured results. Related per-topic briefs — Flow Intelligence, Autonomous QoE, CGNAT Arena, Subscriber Experience — are available alongside this guide.