Protect the Network From Abuse — and the Subscriber From Congestion — in One XDP Data Plane
BNGSOFT enforces protection where the packets are: in the XDP/eBPF fast path. Source spoofing, DDoS and outbound abuse are stopped at line rate before they leave or load the network — while L4S/AQM and Interactive Flow Protection keep latency low for real users on the same hardware, with no scrubber, no separate appliance.
Two jobs, one data plane: keep bad traffic out and abuse in check, and keep good traffic fast. Both run per-subscriber, at line rate, in XDP — not in a slow software path or a bolt-on box.
Outbound: validate the source and contain abuse so the network can't be a spoofing/DDoS origin. Inbound: drop attack patterns and shape every subscriber for low latency. All per-subscriber, in one XDP program.
1Anti-Spoof (BCP38) — validated source on every packet Protect the network
Each subscriber session carries an allow-list of exactly the addresses BNGSOFT assigned it (its IPv4 and its delegated IPv6). On every uplink packet the XDP program checks the source against that list and drops anything spoofed at line rate, at ingress — so a customer (or a compromised CPE) physically cannot send a packet pretending to be another address.
PER-SUBSCRIBER uRPF
Source must match.
Allow-list = the exact IPv4 + IPv6 assigned to the session.
Enforced for both address families in XDP.
SPOOFING STOPPED
At the source.
Reflection/amplification DDoS depends on spoofing the victim's IP — those packets never leave.
No customer can impersonate another.
SAFE ROLLOUT
Observe → enforce.
Observe mode first; auto-arms on subscriber-load stability.
No legitimate traffic dropped during ramp-up.
Why it matters: source validation at the edge is what keeps your network from being used as a spoofing/DDoS source — the root cause behind most reflection attacks and IP-impersonation abuse. ▸ Detail: the Edge Security brief.
2DDoS Protection — in the data plane, not a scrubber Protect the network
Layered defense that protects the BNG itself, the upstream, and every subscriber — built into XDP, so there is no separate scrubbing appliance to license or hairpin traffic through.
UPLOAD SELF-PROTECTION
The box stays healthy.
Rate-protects the BNG against upload floods — always on, machine self-defense.
One abusive line can't starve the control plane or other customers.
INBOUND HARDENING
Drop attack patterns.
Malformed and known-attack packet patterns dropped in XDP at ingress.
Attack traffic can't be used to exhaust BNG resources.
NO HAIRPIN
No extra hop.
Filtering happens inline at line rate — no detour to a scrubber.
Lower latency and one less box to run.
3Anti-Abuse — detect and contain compromised CPEs Protect the network
Spoofing aside, a healthy IP can still misbehave — a hijacked router blasting outbound scans, spam or attack traffic. BNGSOFT watches for abnormal outbound patterns over the upload-protection layer and can contain the offending subscriber so the abuse never reaches upstream and your address space stays off blocklists.
OUTBOUND-ABUSE DETECTION
Spot the bad actor.
Per-subscriber detector over the upload-protect counters.
Flags CPEs suddenly generating attack-volume or scan-pattern traffic.
Runs in observe mode first — measure before you enforce.
QUARANTINE / CONTAIN
Stop it at the edge.
Contain the flagged session so abuse doesn't reach the upstream.
Protects your reputation and other subscribers' service.
Operator-controlled, auditable.
Reputation is an asset. Catching outbound abuse at the access edge keeps your prefixes out of RBLs and your peers happy — and turns "why is our IP blocked?" tickets into a non-event.
4AQM / L4S — keep latency low under load Protect the experience
Protecting the network is half the job; the other half is protecting the subscriber's experience. BNGSOFT runs modern Active Queue Management with L4S per subscriber, in the same XDP path as forwarding — so a busy line stays responsive instead of bloating its buffers.
L4S LOW LATENCY
Mark, don't bloat.
L4S dual-queue with ECN CE-marking signals congestion early.
Classic-drop fallback for non-ECN traffic.
PER-SUBSCRIBER AQM
Target the delay.
Per-subscriber sojourn-time targets, adaptive under load.
Runs at line rate — no FastTrack/queue trade-off.
QoE TELEMETRY
See the experience.
Per-subscriber queuing latency and experience scoring.
Visibility to prove the SLA, not guess at it.
5Interactive Flow Protection — real-time traffic stays fast Protect the experience
When a line is saturated by a bulk download, the packets that feel slow are the small, latency-sensitive ones — game traffic, voice, video-call, DNS, TCP ACKs. Interactive Flow Protection (IFP) recognises and prioritises those flows in XDP so they keep moving while the bulk transfer takes the back-pressure.
PRIORITISE THE INTERACTIVE
Small & sparse first.
Protects ACK / SYN / DNS and small, sparse, latency-sensitive flows.
Keeps gaming, voice and video-calls responsive under a saturating download.
MEASURED, NOT GUESSED
Observe → enforce.
Deployed observe-first, load-verified, then armed.
Pairs with AQM and QoE telemetry for a complete low-latency story.
▸ Detail: the Interactive Flow Protection & L4S briefs.
Busy-hour responsiveness — interactive latency under a saturating download ILLUSTRATIVE
Conceptual: with AQM + IFP, small interactive flows avoid the bufferbloat a bulk transfer would otherwise impose. Directional, not a measured benchmark — validate on your traffic.
No AQM (bufferbloat)
high tail latency
worst
AQM / L4S
low
better
AQM + Interactive-Flow
lowest
best
One data plane, both directions — at a glance
Protection
Direction
What it stops / delivers
Where
Anti-Spoof (BCP38)
Outbound
Spoofed source IPs; IP impersonation; reflection-DDoS origin
XDP, per-sub, v4+v6
DDoS Protection
Inbound + self
Upload floods on the BNG; malformed/attack packet patterns
Cost-effective — one data plane, not an appliance stack
The traditional way to get all this is to bolt boxes onto the edge: a standalone DDoS scrubber, a separate QoE / low-latency appliance, hand-maintained anti-spoof ACLs on the routers, and yet more tooling for outbound abuse. Each is its own capex, power draw, latency hop (traffic hair-pinned through it) and operational surface. BNGSOFT delivers all five protections in the BNG you already run — so the marginal cost of turning them on is effectively zero extra hardware.
Boxes in the path to deliver edge protection (directional)
Fewer boxes = less capex, power, rack, optics, sparing and ops — and one less latency hop. The protections ride the existing XDP data plane.
No scrubber to license, no hairpin, no QoE appliance. Protection is a software feature of the BNG, not a second hardware tier — so it adds ~$0 per subscriber in hardware and removes the latency and ops of a separate security/QoE path. ▸ Full economics: the Hardware Sizing & TCO brief (~$0.30 / subscriber on commodity x86).
What your subscribers feel
Protection only pays off if customers notice — and here, they notice by not noticing problems. Each capability maps to a concrete subscriber experience, which is what shows up in satisfaction, support load and churn.
STAYS ONLINE
No collateral outage.
When the network is targeted by an attack, the subscriber's service keeps working.
Inbound attack patterns and upload floods are absorbed at the edge, not felt at home.
SMOOTH WHEN BUSY
Calls & games stay fast.
Video-calls, gaming and streaming stay responsive even during a big download on the same line.
A hijacked CPE down the street can't spoof your address or get the shared prefix blocklisted.
Abuse is contained at its source, not paid for by everyone.
The business effect of a better experience: fewer "it's slow / it's down / why am I blocked" tickets, higher satisfaction and NPS, and lower churn — plus your prefixes stay off blocklists (BCP38-aligned), keeping peers and upstreams happy. Protection the subscriber experiences as reliability.
What it means for the operator
Edge Protection · operator value
🛡
Never a DDoS sourcePer-subscriber source validation drops spoofed traffic at the edge — your prefixes stay off blocklists and out of reflection attacks.
⊘
No scrubber, no extra boxDDoS filtering and abuse containment are inline in XDP — lower latency and one less appliance to license and run.
◷
Low latency that you can proveL4S/AQM + Interactive Flow Protection keep real users fast under load, with per-subscriber QoE telemetry for the SLA.
$
Fewer abuse ticketsCatch compromised CPEs at the access edge — turn "why is our IP blocked / my game lags" into a non-event.
⚙
Safe to roll outEvery enforcement is observe-first and arms on subscriber-load stability — measure the impact before you turn it on.
⊞
All on the BNG you already runFive protections in one XDP data plane on commodity x86 — no security tier, no QoE box, no forklift.
The bottom line
BNGSOFT protects in both directions from one place: it keeps the network from being a source of spoofing, DDoS and abuse, and it keeps every subscriber's experience fast under load — all per-subscriber, at line rate, in the XDP data plane. No scrubber, no QoE appliance, no second hardware tier — ~$0 extra per subscriber in hardware, and the subscriber feels it as reliability: online during attacks, smooth when busy, never wrongly blocked.
Keep the bad traffic out. Keep the good traffic fast. One box — lower cost, happier subscribers.
Scope & honest framing: This brief summarises the BNGSOFT edge-protection feature set; each capability has a dedicated detail brief (Edge Security, Interactive Flow Protection, L4S Low-Latency, Subscriber Experience Management). All protection logic runs in the BNGSOFT XDP/eBPF data plane on commodity x86. Anti-spoof is per-subscriber source validation (BCP38/uRPF) for IPv4 and IPv6, matching each session against the address(es) assigned to it and dropping spoofed sources at ingress; it is deployed observe-then-enforce and arms on subscriber-load stability. DDoS protection comprises always-on BNG upload self-protection plus inbound malformed/known-attack packet-pattern drop in the data plane (no external scrubber). Anti-abuse is a per-subscriber outbound-abuse detector over the upload-protection layer that flags and can contain (quarantine) compromised CPEs; it is operator-controlled and deployed observe-first. AQM/L4S is per-subscriber Active Queue Management with L4S dual-queue ECN CE-marking and a classic-drop fallback, adaptive to load, with per-subscriber queuing-latency / QoE telemetry. Interactive Flow Protection prioritises small, latency-sensitive flows (e.g. ACK/SYN/DNS, sparse real-time traffic) so they stay responsive during bulk transfers; it is deployed observe-first and load-verified. Exact behaviour, defaults and availability depend on deployment mode (full-monolithic vs QoS-only), configuration and software version, and should be validated per deployment. ILLUSTRATIVE The busy-hour latency chart is a conceptual representation of AQM/IFP behaviour, not a measured benchmark. Prepared as a management and operations overview for broadband operators; product and feature names are property of BNGSOFT.