XDP BNG / CGNAT · Subscriber-Abuse Containment
Residential-Proxy & "Passive-Income" Bandwidth-Rental Abuse

When a Subscriber Rents Out Their Line, Your Network Pays the Bill

"Passive income" and "crypto reward" apps quietly turn a customer's router into a commercial proxy gateway — third parties push traffic through your access network that you never see and can't control. BNGSOFT spots the abnormal outbound behaviour in the XDP data plane, contains the offending line, and isolates it to a penalty IP so your clean address pool keeps its reputation — no scrubber, no separate appliance.
One opted-in CPE, and suddenly everyone behind that CGNAT IP is solving captchas. The fix isn't a ToS clause — it's containment at the edge, per subscriber, at line rate.
“Such bot activity HURTs ISPs a lot: legal issues for the customer if bots are used for illegal activity … abuse reports … legitimate customers see constant captcha … IP address space loses value due to blocklist presence … overloads NAT/CGNAT deployments due to abnormal activity.— the exact pain this brief answers, straight from the operator community.
Detect
in XDP
abnormal outbound volume &
fan-out — per subscriber
Contain
quarantine
hold the offending line to
LIMITED, sticky & auditable
Isolate
reputation
move the abuser to a penalty
IP — clean pool stays clean
One box
no scrubber
runs on the BNG/CGNAT you
already have — line rate

What one "rented" line actually costs you

The app is marketed to the customer as harmless pocket change. On your side it is a residential proxy: an unknown third party sends scan, scrape, login-stuffing and abuse traffic out through your network, under a shared CGNAT public IP. A handful of these lines is enough to poison an IP the whole pool shares.

"Passive income" CPE runs proxy app = commercial gateway Unknown 3rd parties scans · scraping · stuffing rent the line Your CGNAT shared public IP pool ports / sessions exhausting abnormal flow churn overloaded by 1 abusive line abnormal outbound Blocklists / RBLs shared IP flagged abuse reports arrive reputation lost Innocent subscribers on the SAME shared IP constant captchas collateral damage
One rented line → abnormal outbound → CGNAT port/session overload → the shared public IP hits blocklists → every innocent subscriber behind that IP gets captchas and abuse fallout.
CGNAT OVERLOAD
Ports & sessions bleed.
  • A proxy line opens far more concurrent flows than a real user.
  • Port-block and session tables fill early — you scale CGNAT to serve abuse.
IP REPUTATION LOSS
Your prefixes get flagged.
  • Shared CGNAT IPs land on RBLs/blocklists.
  • Address space loses value; remediation is slow and manual.
INNOCENT-CUSTOMER PAIN
Everyone solves captchas.
  • Good subscribers on the same IP are punished by association.
  • "Why is your internet broken?" tickets & churn — for traffic that wasn't theirs.
The trap: the offender looks like a normal, paying, non-spoofing customer. Anti-spoof (BCP38) won't catch them — the source IP is legitimately theirs. What gives them away is behaviour: abnormal outbound volume and connection fan-out. That is exactly what BNGSOFT measures.

How BNGSOFT contains it — detect · quarantine · reputation-isolate

Every piece below already lives in the BNGSOFT XDP data plane on the BNG/CGNAT you run today. Each feature ships observe-first: it measures and shows you the blast radius before it ever acts, and the bngxdpctl enforce-readiness advisor tells you when it's safe to arm.

1
Detect
Per-subscriber outbound-abuse & scanner / fan-out detector over the always-on upload-protection counters — spots the proxy signature in XDP.
2
Contain
Auto-quarantine the flagged line to a LIMITED profile with a sticky hold — the abuse stops reaching upstream, operator-controlled and auditable.
3
Isolate
Reputation-aware CGNAT moves the abuser onto a penalty public IP and steers clean subscribers to clean IPs — the poison is quarantined off the shared pool.
4
Protect
Per-subscriber CGNAT health + caps stop one line exhausting ports/sessions; upload-protect & DDoS keep the box itself healthy.
Clean subscribers normal households Rented / proxy line abnormal outbound + fan-out BNGSOFT XDP data plane per-subscriber · line rate 1 · detect abnormal behaviour 2 · quarantine → LIMITED (sticky) 3 · isolate → penalty IP clean-IP steering for the rest Clean CGNAT pool good IPs · good reputation no captchas for real users Penalty public IP abuser isolated here blocklist damage contained
Same data plane, opposite outcome to the problem above: the rented line is detected, quarantined and steered onto a penalty IP — while clean subscribers keep the clean pool and its reputation.

1Behavioural detection — catch the proxy, not just the spoofer Detect

BNGSOFT keeps always-on upload-protection counters per subscriber in the fast path. On top of them, an outbound-abuse detector and a scanner / botnet fan-out detector watch for the fingerprint of a rented line: sustained abnormal outbound volume, and a burst of connections fanning out to many destinations — the shape a residential proxy makes, not a household.

OUTBOUND-ABUSE DETECTOR
Volume that doesn't fit.
  • Per-subscriber, over the upload-protect layer — no DPI, no packet copies.
  • Flags lines suddenly generating attack- or proxy-volume traffic.
SCANNER / FAN-OUT DETECTOR
Many targets, fast.
  • Connection fan-out + SYN-rate thresholds catch scan & login-stuffing patterns.
  • Tunable fanout_min / syn_min / sustain window per operator.
Behaviour beats blocklists. You stop the abuse before it earns your IP a blocklist entry — instead of finding out weeks later from an abuse report.

2Quarantine & contain — stop it at the access edge Contain

Once a line is confirmed, BNGSOFT quarantines it: the session is held to a LIMITED profile with a sticky hold time, so the abusive traffic never reaches your upstream and never touches your peers. It runs observe-first (alerts only) until you choose to enforce, and every action is logged.

STICKY HOLD
Contained, not whack-a-mole.
  • Confirmed abuser held to LIMITED for a configurable window.
  • Survives reconnects — the CPE can't just bounce to escape.
OBSERVE → ENFORCE
No false-positive outage.
  • Alerts first; you promote to enforce when the signal is clean.
  • enforce-readiness shows would-act blast radius before you arm.
AUDITABLE
Answer the abuse desk.
  • Who, what, when — a record for every quarantine action.
  • Turn "why is our IP blocked?" into a closed ticket.

3Reputation isolation — protect the clean pool Isolate

This is the piece that saves your innocent customers. BNGSOFT scores the reputation of each CGNAT public IP and does clean-IP steering: good subscribers are kept on healthy IPs, while a confirmed abuser is isolated onto a dedicated penalty public IP. The blocklist hit lands on the penalty IP — not the address your paying customers share.

POOL-IP REPUTATION
Know which IP is dirty.
  • Per-IP reputation scoring across the CGNAT pool.
  • Observe-only by default — measure the reputation map first.
ABUSER → PENALTY IP
Quarantine the poison.
  • Confirmed abusers auto-isolate onto a penalty public IP, sticky.
  • Manual operator move / restore supported, with dry-run output.
CLEAN-IP STEERING
Good subs, good IPs.
  • Clean subscribers steered to clean IPs — captcha rate drops.
  • Your address space keeps its value.
Result: the captchas, the abuse reports and the blocklist damage follow the offender onto a penalty IP — the rest of the pool, and the customers on it, are protected.

4Keep the CGNAT itself healthy Protect

Because containment happens in the same XDP path as CGNAT, an abusive line can't drag the platform down while you deal with it. Per-subscriber CGNAT health and per-subscriber port/session caps mean one proxy line can't exhaust the port-block pool, and upload-protection + in-data-plane DDoS keep the BNG's control plane and every other customer isolated from the abuse.

PER-SUB PORT CAPS
One line, one budget.
  • Port-block caps stop a single proxy line hoarding the pool.
  • CGNAT scales for real users, not for abuse churn.
PER-SUB HEALTH
See the sick line.
  • bngxdpctl check sub surfaces the misbehaving subscriber.
  • Diagnose in seconds instead of guessing.
SELF-PROTECTION
The box stays up.
  • Always-on upload-protect + line-rate DDoS defence.
  • Abuse can't starve the control plane or neighbours.

The post's pain list → the BNGSOFT answer

What "rented" lines do to the ISPBNGSOFT feature that answers itOutcome
Legal exposure — customer's line used for illegal activityOutbound-abuse + scanner detection → quarantineAbuse contained at the edge, logged & auditable — you can act and prove it
Abuse reports pile upBehavioural detection stops it before it leavesFewer reports; the ones you get have an answer attached
Legitimate customers see constant captchaReputation isolation + clean-IP steeringGood subscribers stay on clean IPs — captcha rate collapses
IP address space loses value (blocklists)Pool-IP reputation + abuser → penalty IPBlocklist damage lands on a penalty IP, not your clean pool
Overloads NAT/CGNAT (abnormal activity)Per-sub port caps + per-sub CGNAT healthOne line can't exhaust the pool; CGNAT scales for real demand

What it costs — and what it saves

There is no new appliance to buy and no scrubber to hairpin through. Containment runs inside the XDP BNG/CGNAT data plane you already operate, per subscriber, at line rate — so the marginal compute cost is effectively zero. The economics are about the costs you remove.

Where a rented-line problem burns money today illustrative

Representative operator costs the containment suite is designed to reduce — your numbers depend on scale, region and abuse rate. Not a quote.
CGNAT capacity bought to absorb abuse churn
over-provisioned ports / sessions
high
Abuse-desk & blocklist remediation labour
manual, recurring
recurring
Support tickets + churn from captcha'd customers
reputation-driven
high
IP address-space value lost to blocklists
asset depreciation
ongoing
BNGSOFT containment (runs on existing data plane)
≈ no new hardware
included
The ROI in one line
Stop scaling CGNAT for abusePort caps + isolation mean you buy CGNAT capacity for real subscribers, not for proxy churn.
Protect the IP assetKeep clean prefixes off blocklists — your address space holds its value and its deliverability.
Cut tickets & churnInnocent customers stop getting captcha'd — the single biggest hidden cost of shared-IP abuse.
Zero new boxesNo scrubber, no DPI appliance, no hairpin — it's a capability of the BNG/CGNAT you already run.
How pricing works: BNGSOFT is licensed with the XDP BNG/CGNAT platform, sized to your subscriber count — the abuse-containment features (upload-protect, outbound-abuse & scanner detection, quarantine, CGNAT reputation & isolation, per-sub health, DDoS) are part of the platform, not a separate SKU to hairpin. [ contact sales for a subscriber-count quote and a proof-of-value on your own traffic ]

Turn "should ISPs ban this?" into "we already contain it."

A terms-of-service clause doesn't stop a rented line — it just gives you someone to blame after the blocklist hit. Containment at the edge stops the damage before it reaches your CGNAT, your IP reputation, and your innocent customers.

BNGSOFT does it in the data plane you already run: detect the behaviour, quarantine the line, isolate the reputation — per subscriber, at line rate, observe-first.

Ask us for a proof-of-value: run the detectors in observe mode on your own traffic and see how many rented lines are already hiding behind your CGNAT.

Figures and cost bars in this brief are illustrative — they describe the classes of cost the containment suite is designed to reduce, not a quotation or a guaranteed result; actual impact depends on subscriber count, region, IP-pool structure and abuse rate. Feature behaviour (observe-first, quarantine to LIMITED, CGNAT reputation scoring & penalty-IP isolation, per-subscriber port caps & health, upload-protection and in-data-plane DDoS) reflects the BNGSOFT XDP BNG/CGNAT platform; specific thresholds and modes are operator-configurable. Anti-spoof (BCP38) validates the source address but does not, by design, catch a non-spoofing rented line — behavioural detection is what covers that gap. Contact BNGSOFT for current capabilities and a scoped evaluation on your network.