Carrier-grade BCP38 / MANRS source-address validation and outbound-abuse protection — enforcing in production, built directly into the XDP data plane. No appliances. No downtime.
A single XDP enforcement layer on your existing BNG transforms your network from a forged-traffic relay into a hard edge that stops spoofed and abuse traffic before it ever reaches upstream peers.
When a subscriber’s device — or a compromised home router or IoT device behind it — forges a source IP address, packets leave your network under a false identity. Your infrastructure becomes an unwitting participant in spoofed reflection and amplification DDoS attacks aimed at third parties.
Your IP ranges acquire a poor reputation, land on abuse blocklists, and your network fails BCP38 / MANRS — an increasingly firm prerequisite for peering at exchanges and with upstreams.
IPv6 amplifies this exposure. Traditional IPv4 CGNAT rewrites source addresses and incidentally prevents most spoofing for NATted subscribers. IPv6 has no NAT. As IPv6 adoption grows across your subscriber base, the spoofing surface grows with it.
The NOC consequence is also real: abuse complaints, blocklist delisting requests, and upstream escalations consume engineering time that should be spent on growth.
A compromised router or IoT device sends packets with a spoofed source — e.g. forging 8.8.8.8, or leaking a private-range address (192.168.x / 10.x) upstream.
Without source-address validation, the BNG forwards the spoofed packet upstream. Your AS is now the origin of a forged flow.
Abuse teams and automated systems attribute the traffic to your address space. Blocklist entries follow. Peering partners take notice. BCP38 / MANRS audits fail.
NAT incidentally prevented IPv4 source-spoofing for CGNAT subscribers. IPv6 has no NAT. Every IPv6 packet carries the real (or forged) subscriber address, with no network-layer rewrite to catch it. As IPv6 grows, unvalidated source addresses become an increasingly serious liability.
The Edge Security capability builds on a strong existing foundation. These defences were already in place before today’s work.
Every CGNAT’d IPv4 subscriber has their source address rewritten to the pool address on every upload packet. They literally cannot emit a spoofed IPv4 source. This protection is automatic and complete for all NATted subscribers.
Inbound traffic from known-bad source addresses is blocked at the data plane. Continuously updated. Zero operator touch-points for routine entries.
Full per-subscriber attribution is built into the BNG session model. Every upload and download packet is accountable to a named session, enabling precise abuse investigation and audit trails at all times.
The new source-address validation completes a protection layer that has been running continuously. Every subscriber on every node is continuously behaviour-scored in the data plane. The output below is a live read from a production node serving approximately 3,500 subscribers.
Every subscriber is assigned a behaviour score that is updated continuously in the XDP data plane as packets are processed. A subscriber that begins generating malformed packets, SYN floods, or amplification traffic is automatically escalated from monitor (counted, no action) to limit (rate-capped) to block (dropped at line rate). When the abusive behaviour ceases, the subscriber automatically recovers to monitor state.
No operator action is required, and no external appliance is involved. The 2.4 billion packets above are abuse traffic that was absorbed and discarded at the edge, before it could affect other subscribers, upstream links, or third-party targets.
Two capabilities that were not previously enforced, now in production: source-address validation for every subscriber, and systematic outbound-abuse attribution for the abuse team.
Every upload packet’s source address is now validated against the subscriber’s assigned addresses. If the source does not match what the session table says the subscriber holds, the packet is dropped — silently, at line rate, before it reaches the upstream. This closes the spoofing gap for IPv6 subscribers (who have no NAT) and for public-IP / business customers who are not behind CGNAT.
Public-IP customers and IPv6 subscribers had no source-address enforcement before. SAV fills this gap completely. Public-IP customers are auto-allow-listed from the live session table — zero manual configuration required, and legitimate business customers are never affected.
Sustained upload flooding — beyond normal upload-protection thresholds — is now surfaced as actionable alerts to the abuse team. Each alert carries full session attribution. This is the foundation for automatic quarantine in subsequent phases.
Four distinct capabilities delivered in this release, each designed observe-first and fully reversible. All run in the existing XDP data plane: zero added latency, no new hardware.
Every upload packet's source address is checked against the subscriber's assigned addresses — both the IPv4 address and the IPv6 transport and delegated prefixes the session was issued. If it does not match, the packet is dropped silently at line rate before it reaches the upstream. The system started in observe mode — counting what would have been dropped — then moved to enforce once the numbers were validated. Across the two enforcing nodes (≈6,600 and ≈960 subscribers), over 73 million forged-source packets have been identified, including devices forging 8.8.8.8 as their source and home-router LAN ranges (192.168.x / 10.x) leaking upstream. Both IPv4 and IPv6 are now enforcing — IPv6 moved from visibility to enforcement once its allow-list, built automatically from each session's transport and delegated prefixes, was validated against live traffic. Every subscriber's assigned ranges, plus public-IP and business customers, are automatically allow-listed from the live session table — 9.9 million+ legitimate packets protected, zero false drops. A direction guard ensures inbound return traffic is never mistaken for a spoofed upload. An automatic arming window holds enforcement in observe until the subscriber table has fully reloaded after a restart — so a BNG restart never false-drops a still-loading subscriber. A single operator command disables enforcement instantly at any time.
The anti-abuse engine's behavioural signals are now used to generate explicit, actionable alerts for subscribers whose sustained upload flooding exceeds normal upload-protection thresholds. Each alert carries complete session attribution — subscriber, ifname, volume, and escalation state. This is the foundation for automatic, time-bounded quarantine with auto-release in subsequent phases: the observe cycle running now establishes the baseline thresholds and false-positive rate before any automatic quarantine is applied.
bngxdpctl protect
The per-subscriber behavioural engine has been running continuously in the background. It is now exposed via bngxdpctl protect status, giving NOC operators a real-time view of how many subscribers are in monitor, limit, or block state; the current escalation policy; and the cumulative drop ledger broken down by attack type. Nothing changed in how the engine works — operators can now simply see it.
Source-address validation, behavioural scoring, escalation, and drop enforcement are all implemented as BPF programs attached to the XDP hook — the earliest possible point in the receive path, before the kernel network stack is involved. Per-packet processing overhead is measured in nanoseconds. No dedicated scrubbing appliance, no inline security box, and no additional hardware cost is involved. Measured on the ~6,600-subscriber node with every protection enforcing (IPv4 + IPv6 source validation, behavioural scoring, and abuse drop), sustained CPU load held at roughly 7% of available cores with memory flat — confirming the line-rate, zero-overhead design under full production load. Every protection was engineered observe-first and is fully reversible: the lifecycle from observe to enforce to disable is entirely operator-controlled and transparent.
Every protection was designed to be operationally reversible and auditable. There are no black boxes, no silent configuration changes, and no irreversible states.
Every protection ran in count-only mode first. Operators could see exactly which packets would have been dropped, with full attribution, before any enforcement was turned on. Nothing was enforced without prior visibility.
Business customers and other public-IP subscribers have their assigned addresses automatically learned from the live session table. No manual allow-list maintenance is needed. Legitimate static-IP customers are never dropped.
Traffic destined to a subscriber is never classified as a spoofed upload. The direction check is enforced in the data plane, ensuring that inbound packets — such as return traffic from a server — are always correctly exempted.
The system handles BNG restarts gracefully — no false-drops during the session-repopulation window. A single operator command disables enforcement immediately, with no restart required, at any time.
The following figures are from a live production BNG node serving approximately 6,600 subscribers, with enforcement active for both IPv4 and IPv6 and off-peak validation completed. No legitimate subscriber sessions were impacted. Figures as of 7 June 2026.
Public-IP customer uploads correctly identified and passed. Zero false drops for static/business customers. Fully automatic — no operator configuration.
Inbound traffic destined to subscribers correctly identified as download traffic and never treated as a spoofed upload. The direction guard working as designed.
Including packets forging 8.8.8.8 (Google Public DNS) as their source, and home-router LAN ranges (192.168.x / 10.x) leaking upstream. IPv6 forged sources are now dropped too. These previously passed to the upstream unchecked.
Across IPv4 and IPv6 combined. Every one of these packets was previously leaving your network under a false source address and reaching your upstream.
The node is now compliant with BCP38 and the MANRS source-address validation action — a baseline requirement for clean peering relationships and routing-security audits.
Service availability was uninterrupted throughout enforcement activation. The observe-first workflow and automatic allow-listing ensured no legitimate traffic was lost.
On a CGNAT node serving approximately 6,600 subscribers, CGNAT SNAT makes IPv4 source-address spoofing structurally impossible — every outbound packet's source is rewritten to the pool address. The same anti-abuse engine that runs on every node independently dropped 2.4 billion abuse packets (SYN floods, amplification, malformed traffic) with no operator intervention — while source-address validation enforces on IPv6 in parallel and catches private-range leaks. All layers — CGNAT spoof prevention, the behavioural engine, and BCP38 validation — are always on simultaneously.
Five concrete outcomes for ISP management, NOC leads, and peering/routing teams.
Source-address validation is now enforced. Your network meets the MANRS action on outbound filtering and the BCP38 best-practice that upstream and exchange partners increasingly require for clean peering. This is a prerequisite for routing-security credibility.
Spoofed packets from your subscribers no longer reach your upstream or external targets. Fewer abuse complaints, lower blocklist exposure, and reduced NOC time spent on third-party escalations. The NOC handles growth, not housekeeping.
Edge Security runs entirely in the existing BNG data plane using XDP. No dedicated firewall appliance, no inline scrubbing box, no additional hardware cost. CPU overhead is negligible. The capability is delivered as a software update to your existing BNG.
Every protection was validated in observe-only mode before enforcement. Nothing was a surprise. The kill-switch is a single operator command. Deployment confidence is high because the entire lifecycle — from observe to enforce to disable — is operator-controlled and transparent.
Source-address validation covers IPv6 sessions natively. As you grow your IPv6 subscriber base, the spoofing gap that NAT can’t close is already closed. No retrofitting required when IPv6 traffic becomes the majority.
Edge Security is available now on all BNGSOFT-powered deployments. Enabling Tier 2 or Tier 3 on your fleet is a configuration change — not a project.