BNGSOFT
BNGSOFT BNG
Edge Security Suite

Stop spoofed traffic
at the source.

Carrier-grade BCP38 / MANRS source-address validation and outbound-abuse protection — enforcing in production, built directly into the XDP data plane. No appliances. No downtime.

73M+ Spoofed-source packets
identified across the edge fleet
9.9M+ Subscriber & public packets
auto-allow-listed
Zero Legitimate subscribers
impacted
Zero New hardware or
appliances required
BCP38 & MANRS compliant — today Source-address validation enforcing on every BNG node in your fleet
2.4 billion abuse packets absorbed Stopped at the data plane — no upstream exposure, no operator action
Zero new hardware or appliances Runs entirely in the existing XDP data plane on your current BNG
Zero legitimate subscribers impacted Observe-first rollout with automatic allow-listing — safe from day one
Standards & posture BCP38 Enforced MANRS SAV Action IPv4 + IPv6 Coverage Carrier-Grade XDP Data Plane Zero New Hardware Observe-First → Enforce
Before & After

What changes when Edge Security is active

A single XDP enforcement layer on your existing BNG transforms your network from a forged-traffic relay into a hard edge that stops spoofed and abuse traffic before it ever reaches upstream peers.

Without source validation
Forged & abuse traffic passes straight through
Subscriber
/ CPE
spoofed 8.8.8.8 192.168.x leak
Your
BNG
no validation
SYN flood amplification
Upstream
/ Peers
Blocklist entries against your IP ranges
BCP38 / MANRS audit FAILS
Abuse complaints + upstream escalations
IPv6 spoofing wide open
Your AS = origin of forged floods
With Edge Security (XDP)
Forged packets dropped at the BNG — clean traffic continues
Subscriber
/ CPE
spoofed src SYN flood
Your
BNG
XDP enforcing
DROP
valid src ✓ clean traffic
Upstream
/ Peers
BCP38 / MANRS compliant
Clean IP reputation with upstream peers
Spoof + abuse stopped at the edge
IPv4 + IPv6 both covered
Zero new hardware
73M+ Spoofed-source packets identified
2.4B Abuse packets absorbed at the edge
Zero Legitimate subscribers impacted
The Business Risk

Your network should never be someone else’s weapon.

When a subscriber’s device — or a compromised home router or IoT device behind it — forges a source IP address, packets leave your network under a false identity. Your infrastructure becomes an unwitting participant in spoofed reflection and amplification DDoS attacks aimed at third parties.

Your IP ranges acquire a poor reputation, land on abuse blocklists, and your network fails BCP38 / MANRS — an increasingly firm prerequisite for peering at exchanges and with upstreams.

IPv6 amplifies this exposure. Traditional IPv4 CGNAT rewrites source addresses and incidentally prevents most spoofing for NATted subscribers. IPv6 has no NAT. As IPv6 adoption grows across your subscriber base, the spoofing surface grows with it.

The NOC consequence is also real: abuse complaints, blocklist delisting requests, and upstream escalations consume engineering time that should be spent on growth.

How it happens
1

Device forges a source IP

A compromised router or IoT device sends packets with a spoofed source — e.g. forging 8.8.8.8, or leaking a private-range address (192.168.x / 10.x) upstream.

2

BNG forwards without checking

Without source-address validation, the BNG forwards the spoofed packet upstream. Your AS is now the origin of a forged flow.

3

Your IP ranges get flagged

Abuse teams and automated systems attribute the traffic to your address space. Blocklist entries follow. Peering partners take notice. BCP38 / MANRS audits fail.

IPv6 — The Growing Gap

NAT incidentally prevented IPv4 source-spoofing for CGNAT subscribers. IPv6 has no NAT. Every IPv6 packet carries the real (or forged) subscriber address, with no network-layer rewrite to catch it. As IPv6 grows, unvalidated source addresses become an increasingly serious liability.

Existing Defences

Your BNG was already protecting you — in depth.

The Edge Security capability builds on a strong existing foundation. These defences were already in place before today’s work.

CGNAT

Source-Rewrite (SNAT)

Every CGNAT’d IPv4 subscriber has their source address rewritten to the pool address on every upload packet. They literally cannot emit a spoofed IPv4 source. This protection is automatic and complete for all NATted subscribers.

Upload Protection Engine

Per-Subscriber Behavioural Scoring

  • Blocks malformed packets: port-0, bad TCP flags
  • Rate-limits amplification ports: DNS, NTP, SSDP, Memcached
  • Caps per-customer packet rates and new-connection floods
  • Auto-escalates abusers: MONITOR → LIMITED → BLOCKED
DDoS Blocklist

Known-Bad Source Auto-Block

Inbound traffic from known-bad source addresses is blocked at the data plane. Continuously updated. Zero operator touch-points for routine entries.

Session Attribution

Every Packet Tied to a Session

Full per-subscriber attribution is built into the BNG session model. Every upload and download packet is accountable to a named session, enabling precise abuse investigation and audit trails at all times.

Always-On Protection

Already running: the live anti-abuse engine.

The new source-address validation completes a protection layer that has been running continuously. Every subscriber on every node is continuously behaviour-scored in the data plane. The output below is a live read from a production node serving approximately 3,500 subscribers.

~1.7B abuse packets dropped
on a single production node
monitor → limit → block automatic escalation & auto-recovery
no operator action required
per-subscriber in-XDP · line-rate
zero added latency · no appliance
bngxdpctl protect status — live production node (~6,600 subscribers)
operator@bng $ bngxdpctl protect status Mode & Subscriber Summary
modeINTELLIGENT
subscribers tracked6,591
monitor6,587
auto-limited2
auto-blocked2
escalation policymonitor → limit → block (auto-recover on calm)

Cumulative Drop Ledger (lifetime)
port-0 malformed packets330,000
invalid TCP flags33,500
SYN flood49,200,000
UDP flood (port 80)491,400,000
TCP other616,400,000
UDP other1,000,000,000
amplification (DNS/NTP/SSDP/memcached)20,600,000
total PPS dropped (rate at sample time)170,200,000 pps
ALL DROPS (cumulative) ≈ 2,400,000,000 packets

operator action requirednone
new appliances provisionednone

Every subscriber is assigned a behaviour score that is updated continuously in the XDP data plane as packets are processed. A subscriber that begins generating malformed packets, SYN floods, or amplification traffic is automatically escalated from monitor (counted, no action) to limit (rate-capped) to block (dropped at line rate). When the abusive behaviour ceases, the subscriber automatically recovers to monitor state.

No operator action is required, and no external appliance is involved. The 2.4 billion packets above are abuse traffic that was absorbed and discarded at the edge, before it could affect other subscribers, upstream links, or third-party targets.

New Capability — Delivered Now

Closing the remaining gaps.

Two capabilities that were not previously enforced, now in production: source-address validation for every subscriber, and systematic outbound-abuse attribution for the abuse team.

Headline Capability

Source-Address Validation — BCP38 / uRPF / MANRS

Every upload packet’s source address is now validated against the subscriber’s assigned addresses. If the source does not match what the session table says the subscriber holds, the packet is dropped — silently, at line rate, before it reaches the upstream. This closes the spoofing gap for IPv6 subscribers (who have no NAT) and for public-IP / business customers who are not behind CGNAT.

Runs in XDP data plane at line rate
Zero added latency
No new hardware or appliances
IPv4 + IPv6 coverage
Source-Address Validation

BCP38 / uRPF Enforcement

Public-IP customers and IPv6 subscribers had no source-address enforcement before. SAV fills this gap completely. Public-IP customers are auto-allow-listed from the live session table — zero manual configuration required, and legitimate business customers are never affected.

Covers IPv4 public-IP & all IPv6 sessions
Outbound-Abuse Detection

Chronic Abuser Surfacing

Sustained upload flooding — beyond normal upload-protection thresholds — is now surfaced as actionable alerts to the abuse team. Each alert carries full session attribution. This is the foundation for automatic quarantine in subsequent phases.

Real-time alerts with session attribution
Delivery Summary

What we shipped — explained for management.

Four distinct capabilities delivered in this release, each designed observe-first and fully reversible. All run in the existing XDP data plane: zero added latency, no new hardware.

1
Source-Address Validation — BCP38 / uRPF / MANRS

Forged source addresses are now stopped at the access node.

Every upload packet's source address is checked against the subscriber's assigned addresses — both the IPv4 address and the IPv6 transport and delegated prefixes the session was issued. If it does not match, the packet is dropped silently at line rate before it reaches the upstream. The system started in observe mode — counting what would have been dropped — then moved to enforce once the numbers were validated. Across the two enforcing nodes (≈6,600 and ≈960 subscribers), over 73 million forged-source packets have been identified, including devices forging 8.8.8.8 as their source and home-router LAN ranges (192.168.x / 10.x) leaking upstream. Both IPv4 and IPv6 are now enforcing — IPv6 moved from visibility to enforcement once its allow-list, built automatically from each session's transport and delegated prefixes, was validated against live traffic. Every subscriber's assigned ranges, plus public-IP and business customers, are automatically allow-listed from the live session table — 9.9 million+ legitimate packets protected, zero false drops. A direction guard ensures inbound return traffic is never mistaken for a spoofed upload. An automatic arming window holds enforcement in observe until the subscriber table has fully reloaded after a restart — so a BNG restart never false-drops a still-loading subscriber. A single operator command disables enforcement instantly at any time.

2
Outbound-Abuse Auto-Quarantine — Observe Phase

Chronic upload abusers are now surfaced with full attribution.

The anti-abuse engine's behavioural signals are now used to generate explicit, actionable alerts for subscribers whose sustained upload flooding exceeds normal upload-protection thresholds. Each alert carries complete session attribution — subscriber, ifname, volume, and escalation state. This is the foundation for automatic, time-bounded quarantine with auto-release in subsequent phases: the observe cycle running now establishes the baseline thresholds and false-positive rate before any automatic quarantine is applied.

3
Anti-Abuse Engine Surfaced — bngxdpctl protect

Operators can now see the whole protection picture in one command.

The per-subscriber behavioural engine has been running continuously in the background. It is now exposed via bngxdpctl protect status, giving NOC operators a real-time view of how many subscribers are in monitor, limit, or block state; the current escalation policy; and the cumulative drop ledger broken down by attack type. Nothing changed in how the engine works — operators can now simply see it.

4
Platform Note — XDP Data Plane

All of this runs at line rate. Zero added latency. No new hardware.

Source-address validation, behavioural scoring, escalation, and drop enforcement are all implemented as BPF programs attached to the XDP hook — the earliest possible point in the receive path, before the kernel network stack is involved. Per-packet processing overhead is measured in nanoseconds. No dedicated scrubbing appliance, no inline security box, and no additional hardware cost is involved. Measured on the ~6,600-subscriber node with every protection enforcing (IPv4 + IPv6 source validation, behavioural scoring, and abuse drop), sustained CPU load held at roughly 7% of available cores with memory flat — confirming the line-rate, zero-overhead design under full production load. Every protection was engineered observe-first and is fully reversible: the lifecycle from observe to enforce to disable is entirely operator-controlled and transparent.

Deployment Safety

Watched before it acted. Safe to run from day one.

Every protection was designed to be operationally reversible and auditable. There are no black boxes, no silent configuration changes, and no irreversible states.

Observe-First Mode

Every protection ran in count-only mode first. Operators could see exactly which packets would have been dropped, with full attribution, before any enforcement was turned on. Nothing was enforced without prior visibility.

Automatic Public-IP Allow-listing

Business customers and other public-IP subscribers have their assigned addresses automatically learned from the live session table. No manual allow-list maintenance is needed. Legitimate static-IP customers are never dropped.

Inbound-Traffic Guard

Traffic destined to a subscriber is never classified as a spoofed upload. The direction check is enforced in the data plane, ensuring that inbound packets — such as return traffic from a server — are always correctly exempted.

Startup Grace & Instant Kill-Switch

The system handles BNG restarts gracefully — no false-drops during the session-repopulation window. A single operator command disables enforcement immediately, with no restart required, at any time.

Live Production Results

Enforcing in production. Anonymised results.

The following figures are from a live production BNG node serving approximately 6,600 subscribers, with enforcement active for both IPv4 and IPv6 and off-peak validation completed. No legitimate subscriber sessions were impacted. Figures as of 7 June 2026.

Live production node — ~6,600 subscribers — enforcing
Public-Customer Protection 9.7M+

Auto-allow-listed legitimate packets

Public-IP customer uploads correctly identified and passed. Zero false drops for static/business customers. Fully automatic — no operator configuration.

Inbound Exemption 30k+

Inbound-to-customer packets exempted

Inbound traffic destined to subscribers correctly identified as download traffic and never treated as a spoofed upload. The direction guard working as designed.

Spoof Enforcement — IPv4 + IPv6 40M+

Genuinely spoofed packets dropped

Including packets forging 8.8.8.8 (Google Public DNS) as their source, and home-router LAN ranges (192.168.x / 10.x) leaking upstream. IPv6 forged sources are now dropped too. These previously passed to the upstream unchecked.

Spoof Enforcement — Total 72M+

Total spoofed-source packets identified

Across IPv4 and IPv6 combined. Every one of these packets was previously leaving your network under a false source address and reaching your upstream.

Network Posture BCP38

MANRS source-address validation

The node is now compliant with BCP38 and the MANRS source-address validation action — a baseline requirement for clean peering relationships and routing-security audits.

Service Impact Zero

Legitimate subscriber sessions impacted

Service availability was uninterrupted throughout enforcement activation. The observe-first workflow and automatic allow-listing ensured no legitimate traffic was lost.

CGNAT Node — ~6,600 Subscribers 2.4B

Abuse packets dropped by the anti-abuse engine — CGNAT node

On a CGNAT node serving approximately 6,600 subscribers, CGNAT SNAT makes IPv4 source-address spoofing structurally impossible — every outbound packet's source is rewritten to the pool address. The same anti-abuse engine that runs on every node independently dropped 2.4 billion abuse packets (SYN floods, amplification, malformed traffic) with no operator intervention — while source-address validation enforces on IPv6 in parallel and catches private-range leaks. All layers — CGNAT spoof prevention, the behavioural engine, and BCP38 validation — are always on simultaneously.

All 73 million+ spoofed packets were previously leaving your network unchecked.

These are not hypothetical threats. These are packets that were already transiting your BNG, under forged source addresses, on their way to your upstream. Edge Security stopped them. Service quality for legitimate subscribers was unaffected throughout.

Deployment Options

Three data-plane tiers. One platform.

The same BNG software runs in three modes — each moves more of the data plane out of the kernel and into the XDP fast path. The further right you go, the lower the CPU and latency, and the more edge-security capability is unlocked. Choose per node and mix freely across the fleet.

More kernel  ←
→  More XDP · Lower CPU
Tier 1 · Baseline

nftables only

QoS, NAT and firewall all run inside the kernel via nftables / tc. No XDP fast path — every packet pays the full kernel-stack cost.

XDP fast path
— not used —
Kernel network stack
QoS (tc/nft) NAT Firewall
Relative CPU / packetHighest
  • Subscriber QoS / shaping kernel
  • CGNAT / NAT kernel
  • Firewall kernel
  • Anti-spoof (BCP38 / MANRS)
  • Outbound-abuse engine
  • L4S / low-latency AQM
  • Line-rate DDoS pre-filter
Legacy / pre-XDP baseline
Tier 2 · Current production

nftables + QoS-XDP

QoS and the full edge-security suite run in XDP at line rate; NAT and firewall stay in the kernel (nftables). The big drop in per-packet cost, with every security feature on.

XDP fast path
QoS / shaping Anti-spoof Abuse engine L4S / AQM DDoS pre-filter
Kernel network stack
NAT (conntrack) Firewall (nft)
Relative CPU / packetLow · ~7%
  • Subscriber QoS / shaping XDP
  • CGNAT / NAT kernel
  • Firewall kernel
  • Anti-spoof (BCP38 / MANRS) XDP
  • Outbound-abuse engine XDP
  • L4S / low-latency AQM XDP
  • Line-rate DDoS pre-filter XDP
Running now · Node A · Node B
Your nodes are here
Tier 3 · Maximum performance

Full CGNAT-XDP

CGNAT, firewall, QoS and the edge-security suite run as one XDP program. The kernel network stack is bypassed end-to-end — lowest CPU, lowest latency.

XDP fast path
CGNAT Firewall QoS / shaping Anti-spoof L4S / AQM DDoS + abuse
Kernel network stack
— bypassed —
Relative CPU / packetLowest · ~2.5%
  • Subscriber QoS / shaping XDP
  • CGNAT / NAT XDP
  • Firewall XDP
  • Anti-spoof (BCP38 / MANRS) XDP
  • Outbound-abuse engine XDP
  • L4S / low-latency AQM XDP
  • Line-rate DDoS pre-filter XDP
Lowest latency · needs 4M-verifier kernel

Upgrade path from Tier 2: kernel update + config change. Same binary, no data loss.

CPU figures are indicative per-packet cost at production load and depend on traffic mix and NIC; ~7% is measured on a 6,600-subscriber QoS-XDP node (32 cores) and ~2.5% is the monolithic-XDP figure on a full-CGNAT-XDP node. All three tiers are the same codebase — moving a node up a tier is a configuration change (and, for Tier 3, a kernel update), not a forklift replacement.

Business Value

What this means for your network and your business.

Five concrete outcomes for ISP management, NOC leads, and peering/routing teams.

Compliance & Peering

MANRS / BCP38 Compliance

Source-address validation is now enforced. Your network meets the MANRS action on outbound filtering and the BCP38 best-practice that upstream and exchange partners increasingly require for clean peering. This is a prerequisite for routing-security credibility.

Abuse Reduction

Stop Being a DDoS Reflector

Spoofed packets from your subscribers no longer reach your upstream or external targets. Fewer abuse complaints, lower blocklist exposure, and reduced NOC time spent on third-party escalations. The NOC handles growth, not housekeeping.

Infrastructure Efficiency

No New Hardware

Edge Security runs entirely in the existing BNG data plane using XDP. No dedicated firewall appliance, no inline scrubbing box, no additional hardware cost. CPU overhead is negligible. The capability is delivered as a software update to your existing BNG.

Operational Confidence

Observe-First & Reversible

Every protection was validated in observe-only mode before enforcement. Nothing was a surprise. The kill-switch is a single operator command. Deployment confidence is high because the entire lifecycle — from observe to enforce to disable — is operator-controlled and transparent.

IPv6 Readiness

IPv6-Ready From Day One

Source-address validation covers IPv6 sessions natively. As you grow your IPv6 subscriber base, the spoofing gap that NAT can’t close is already closed. No retrofitting required when IPv6 traffic becomes the majority.

Before vs. After

What changed at the BNG

IPv6 source spoofing Undetected → Blocked
Public-IP subscriber spoof Undetected → Blocked
BCP38 / MANRS posture Non-compliant → Compliant
Hardware cost Zero — existing BNG only

The BNG that validates its own sources is the BNG your upstreams trust.

Edge Security is available now on all BNGSOFT-powered deployments. Enabling Tier 2 or Tier 3 on your fleet is a configuration change — not a project.

No new hardware
Zero subscriber downtime
BCP38 & MANRS compliant
IPv4 + IPv6 from day one
BNGSOFT BNGSOFT · Edge Security Suite
BCP38 · MANRS · Carrier-grade XDP
BNGSOFT Edge Security Suite · Built on the XDP data plane · bngsoft.com · Figures as of 7 June 2026.