Intelligent DDoS · fan-out discrimination · eBPF/XDP line-rate · observe-before-enforce
Edge Security Brief · Intelligent DDoS Auto-Block

Your flood filter shouldn't block Netflix, WhatsApp, or an entire peer ISP

Volumetric DDoS protection that keys purely on per-source packet rate has a blind spot it can't see past: a legitimate high-volume source looks exactly like an attacker. One Cloudflare, AWS CloudFront, WhatsApp/Meta or Reliance Jio CGNAT egress IP serves thousands of your subscribers at once and clears any packets-per-second threshold instantly — so a naive filter auto-blocks it, and streaming, messaging and whole peer networks go dark for subscribers who were never under attack. BNGSOFT tells an attack from an aggregator — in the data path, at line rate.
Attack ≠ CDN
fan-out discrimination
block sources concentrated on few victims, never those serving many subscribers
Line rate
eBPF/XDP data path
one 32-bit bitmap + a popcount per source — no extra per-packet lookups
Observe first
see before you drop
log exactly what would be blocked, with rate + fan-out, before enforcing
Default-off
operator-controlled
tunable concentration ceiling; unsolicited-only gate; enable when ready
A DDoS is defined by concentration: many packets aimed at a few victims. A CDN is defined by fan-out: many packets spread across many subscribers. Measure that — not raw packet rate — and the false positives disappear.

The blind spot in per-source rate limiting

Ask the wrong question and you get the wrong answer. A per-source auto-block asks “is this source sending a lot of packets?” — counted per source, summed across every subscriber. On a real access network, the sources that send the most packets are almost never attackers:

Per-source rate limit — blind
CloudFront serves 4,000 subs Jio CGNAT IP 1000s of users Real attacker floods 1 victim pps > threshold? ALL BLOCKED CDN + CGNAT + attacker alike Collateral damage streaming stalls · WhatsApp media fails Cloudflare sites refuse · peer ISP dark — for subscribers never under attack

The source that sends the most packets is a CDN, not an attacker. Rate alone can't tell them apart.

BNGSOFT fan-out discrimination
CDN / CGNAT high rate sub······ sub······ many distinct subscribers sub······ PASS — fan-out Attacker high rate 1 victim BLOCK — concentrated Same packet rate. Opposite verdict.

Count distinct destinations, not raw packets. Aggregators fan out; attacks concentrate.

How it works — in the eBPF/XDP data path

The intelligence rides in the same in-kernel XDP program that already shapes and forwards every packet — no extra appliance, no traffic tromboning, no per-packet cost worth measuring.

1 · Per-source fan-out

For each source IP, a single 32-bucket bitmap records the distinct destination subscribers it touched this second (subscriber → hash → bit). Reset every second. One OR per packet.

2 · Concentration test

When a source crosses the rate threshold, a branchless pop-count reads the bitmap. Few distinct subscribers → concentrated → attack. Many → fan-out → CDN / CGNAT pool, left alone.

3 · Unsolicited gate

Before blocking, confirm the flow is unsolicited — no established conntrack/session the subscriber initiated. Legitimate downloads are always solicited; floods are not.

Three signals, one verdict. A source is auto-blocked only when it is high-rate AND concentrated on few victims AND unsolicited. A busy CDN fails the concentration test. A subscriber's own big download fails the unsolicited test. A real volumetric flood fails all three — and is dropped in-line, in kernel, at line rate.

Conntrack that matches the mode

QoS-only edge → Linux conntrack
  • On a pure QoS/BNG node the “did the subscriber ask for this?” check uses the kernel's own nf_conntrack state.
  • Looked up only at the rare moment a source would otherwise be blocked — never on the hot per-packet path.
Full CGNAT → our conntrack
  • On a CGNAT node the same question is answered by BNGSOFT's own in-XDP session table — a matched CGNAT session means the subscriber initiated the flow.
  • Reuses the session lookup the download path already did — zero added cost.

Observe before you enforce

No operator should turn on automatic dropping blind. Intelligent DDoS ships with an observe mode: the detector runs its full logic and logs precisely which sources it would block — with their packet rate and measured fan-out — while dropping nothing.

# observe mode: watch what would be blocked, drop nothing DDoS observe: would auto-block 203.0.113.45 (pps=88400 threshold=50000 fanout=2) [observe mode, NOT dropped] # fanout=2 distinct victims -> concentrated -> a real attack. Safe to enforce. # a CDN under the same rate never appears here -- it fans out to hundreds of subscribers

Confirm zero legitimate sources appear in the log, then flip to enforce. The concentration ceiling is a single tunable knob, so you can match it to the size of your subscriber base.

Proven, not just described. In a controlled test we pointed a concentrated ~30,000-packet-per-second flood at a subscriber: the engine detected it, auto-blocked the source, and dropped it in-kernel at line rate — while high-fan-out CDN sources under the same rate were left untouched. It runs in production today.

Rate-only vs. intelligent — at a glance

ScenarioPer-source rate limitBNGSOFT fan-out + unsolicited
CDN edge (CloudFront / Cloudflare) serving thousands of subsBlocked — high aggregate ppsPassed — high fan-out
Peer ISP / mobile CGNAT egress IPBlocked — thousands of users behind itPassed — high fan-out
Subscriber's own large download / speed testCan trip per-dst limitsPassed — solicited flow
Volumetric flood at one victim subscriberBlockedBlocked — concentrated + unsolicited
Where it runsExternal scrubber / separate box, or coarse in-lineIn-line, in-kernel eBPF/XDP, line rate
Rollout safetyEnforce-onlyObserve-before-enforce, tunable, default-off
“A source pushing 300,000 packets a second isn't an attacker if it's feeding ten thousand of your subscribers. It's a CDN. The only filter worth running is the one that knows the difference.”— BNGSOFT edge security
Where we stay honest. Fan-out discrimination targets the common, damaging failure mode — a concentrated volumetric flood — and deliberately does not auto-block sources that spread across many subscribers, so a carpet-bomb spread thinly across a whole subscriber base is handled by the separate per-destination limiter, not this gate. The concentration ceiling and the unsolicited gate are tunable per deployment; defaults are conservative and the whole feature is default-off until you enable it. Numbers and behaviour should be validated on your own topology and traffic mix.

Stop choosing between “protected” and “subscribers can reach the internet”

Volumetric DDoS auto-block belongs in the data path — but only if it can tell a flood from the CDNs and carrier networks your subscribers depend on. BNGSOFT measures concentration and intent, not just packet rate, so it drops the attack and leaves Netflix, WhatsApp, Cloudflare and your peers untouched.

eBPF/XDP line-rate · fan-out discrimination · unsolicited gate · observe-before-enforce · tunable · default-off

Intelligent DDoS auto-block is part of the BNGSOFT eBPF/XDP BNG/CGNAT data plane. Fan-out discrimination, the unsolicited (conntrack/session) gate, observe mode and the tunable concentration ceiling are operator-controlled and default-off; enabling them changes only which sources are eligible for automatic blocking. Source-IP examples are illustrative. Validate thresholds and behaviour against your own subscriber base and traffic profile. © BNGSOFT. · bngsoft.com