Your flood filter shouldn't block Netflix, WhatsApp, or an entire peer ISP
Volumetric DDoS protection that keys purely on per-source packet rate has a blind spot it can't see past: a legitimate high-volume source looks exactly like an attacker. One Cloudflare, AWS CloudFront, WhatsApp/Meta or Reliance Jio CGNAT egress IP serves thousands of your subscribers at once and clears any packets-per-second threshold instantly — so a naive filter auto-blocks it, and streaming, messaging and whole peer networks go dark for subscribers who were never under attack. BNGSOFT tells an attack from an aggregator — in the data path, at line rate.
Attack ≠ CDN
fan-out discrimination
block sources concentrated on few victims, never those serving many subscribers
Line rate
eBPF/XDP data path
one 32-bit bitmap + a popcount per source — no extra per-packet lookups
Observe first
see before you drop
log exactly what would be blocked, with rate + fan-out, before enforcing
Default-off
operator-controlled
tunable concentration ceiling; unsolicited-only gate; enable when ready
A DDoS is defined by concentration: many packets aimed at a few victims. A CDN is defined by fan-out: many packets spread across many subscribers. Measure that — not raw packet rate — and the false positives disappear.
The blind spot in per-source rate limiting
Ask the wrong question and you get the wrong answer. A per-source auto-block asks “is this source sending a lot of packets?” — counted per source, summed across every subscriber. On a real access network, the sources that send the most packets are almost never attackers:
Per-source rate limit — blind
The source that sends the most packets is a CDN, not an attacker. Rate alone can't tell them apart.
BNGSOFT fan-out discrimination
Count distinct destinations, not raw packets. Aggregators fan out; attacks concentrate.
How it works — in the eBPF/XDP data path
The intelligence rides in the same in-kernel XDP program that already shapes and forwards every packet — no extra appliance, no traffic tromboning, no per-packet cost worth measuring.
1 · Per-source fan-out
For each source IP, a single 32-bucket bitmap records the distinct destination subscribers it touched this second (subscriber → hash → bit). Reset every second. One OR per packet.
2 · Concentration test
When a source crosses the rate threshold, a branchless pop-count reads the bitmap. Few distinct subscribers → concentrated → attack. Many → fan-out → CDN / CGNAT pool, left alone.
3 · Unsolicited gate
Before blocking, confirm the flow is unsolicited — no established conntrack/session the subscriber initiated. Legitimate downloads are always solicited; floods are not.
Three signals, one verdict. A source is auto-blocked only when it is high-rate AND concentrated on few victims AND unsolicited. A busy CDN fails the concentration test. A subscriber's own big download fails the unsolicited test. A real volumetric flood fails all three — and is dropped in-line, in kernel, at line rate.
Conntrack that matches the mode
QoS-only edge → Linux conntrack
On a pure QoS/BNG node the “did the subscriber ask for this?” check uses the kernel's own nf_conntrack state.
Looked up only at the rare moment a source would otherwise be blocked — never on the hot per-packet path.
Full CGNAT → our conntrack
On a CGNAT node the same question is answered by BNGSOFT's own in-XDP session table — a matched CGNAT session means the subscriber initiated the flow.
Reuses the session lookup the download path already did — zero added cost.
Observe before you enforce
No operator should turn on automatic dropping blind. Intelligent DDoS ships with an observe mode: the detector runs its full logic and logs precisely which sources it would block — with their packet rate and measured fan-out — while dropping nothing.
# observe mode: watch what would be blocked, drop nothing
DDoS observe: would auto-block 203.0.113.45 (pps=88400 threshold=50000 fanout=2) [observe mode, NOT dropped]# fanout=2 distinct victims -> concentrated -> a real attack. Safe to enforce.# a CDN under the same rate never appears here -- it fans out to hundreds of subscribers
Confirm zero legitimate sources appear in the log, then flip to enforce. The concentration ceiling is a single tunable knob, so you can match it to the size of your subscriber base.
Proven, not just described. In a controlled test we pointed a concentrated ~30,000-packet-per-second flood at a subscriber: the engine detected it, auto-blocked the source, and dropped it in-kernel at line rate — while high-fan-out CDN sources under the same rate were left untouched. It runs in production today.
Rate-only vs. intelligent — at a glance
Scenario
Per-source rate limit
BNGSOFT fan-out + unsolicited
CDN edge (CloudFront / Cloudflare) serving thousands of subs
Blocked — high aggregate pps
Passed — high fan-out
Peer ISP / mobile CGNAT egress IP
Blocked — thousands of users behind it
Passed — high fan-out
Subscriber's own large download / speed test
Can trip per-dst limits
Passed — solicited flow
Volumetric flood at one victim subscriber
Blocked
Blocked — concentrated + unsolicited
Where it runs
External scrubber / separate box, or coarse in-line
In-line, in-kernel eBPF/XDP, line rate
Rollout safety
Enforce-only
Observe-before-enforce, tunable, default-off
“A source pushing 300,000 packets a second isn't an attacker if it's feeding ten thousand of your subscribers. It's a CDN. The only filter worth running is the one that knows the difference.”— BNGSOFT edge security
Where we stay honest. Fan-out discrimination targets the common, damaging failure mode — a concentrated volumetric flood — and deliberately does not auto-block sources that spread across many subscribers, so a carpet-bomb spread thinly across a whole subscriber base is handled by the separate per-destination limiter, not this gate. The concentration ceiling and the unsolicited gate are tunable per deployment; defaults are conservative and the whole feature is default-off until you enable it. Numbers and behaviour should be validated on your own topology and traffic mix.
Stop choosing between “protected” and “subscribers can reach the internet”
Volumetric DDoS auto-block belongs in the data path — but only if it can tell a flood from the CDNs and carrier networks your subscribers depend on. BNGSOFT measures concentration and intent, not just packet rate, so it drops the attack and leaves Netflix, WhatsApp, Cloudflare and your peers untouched.