How We Protect 10,000 Networks at Once: The ISP Architecture

The Multi-Tenant Nightmare

Securing a single enterprise network is a complex architectural challenge. Securing an Internet Service Provider (ISP), a regional telecommunications carrier, or a hyperscale hosting provider is an entirely different mathematics. When you provide connectivity to thousands of distinct downstream clients — ranging from financial institutions requiring absolute connection reliability, to gaming servers requiring zero latency, to residential subnets — you cannot apply a single, unified DDoS mitigation policy.

A rate limit that protects a DNS server will instantly suffocate a video streaming platform. A TCP state timeout perfectly calibrated for a REST API will break long-lived IoT telemetry connections.

Historically, ISPs and large data centers have attempted to solve this by chaining multiple security appliances together, or by attempting to force complex policy routing across disparate scrubbing centers. The result is inevitably a management nightmare, skyrocketing latency, and an infrastructure that becomes fundamentally unmaintainable under the stress of a massive, multi-vector attack.

CoreEdge was built to rewrite the rules of multi-tenant mitigation natively within the kernel.

Radical Independence via Per-Prefix Policy

The architectural cornerstone of CoreEdge’s hyperscale deployment model is the concept of Per-Prefix Policy Enforcement. When CoreEdge processes an inbound packet, it does not consult a single, monolithic global firewall rulebase. Instead, it performs an extraordinary act of instantaneous routing intelligence.

Using an advanced Longest Prefix Match (LPM) architecture executed directly within the eBPF/XDP silicon layer, CoreEdge maps the destination IP address of every single packet to its specific tenant owner. It then loads the completely independent, bespoke security policy designed exclusively for that specific tenant.

This means that within a single CoreEdge node, 10,000 different downstream networks can operate under 10,000 completely different mitigation postures. A UDP flood targeting an IP address owned by a gaming client triggers the gaming client’s restrictive UDP allowlist. A millisecond later, an HTTP flood targeting the neighboring IP address owned by an e-commerce platform triggers that platform’s Layer 7 behavioral detection engine.

The policies do not overlap. The rate limits do not share buckets. The mitigation actions are entirely isolated. Every client receives the protection of a dedicated, custom-calibrated hardware appliance, delivered entirely through software.

Zero Performance Penalty at Extreme Scale

In legacy software-defined networking, increasing the complexity and size of a rulebase directly degrades performance. Searching through 10,000 discrete client policies to find the correct rule for a specific packet traditionally requires looping through memory structures, consuming CPU cycles, and adding measurable latency to every connection.

CoreEdge fundamentally eliminates this algorithmic degradation.

Because our engineering team has mapped the LPM policy retrieval system directly into highly optimized eBPF maps structure, the time required to retrieve a specific client’s policy from a database of 10,000 clients is identical to the time required to retrieve a policy from a database of one client.

The lookup operation is $O(1)$ — constant time. Whether the CoreEdge system is protecting a single corporate /24 subnet or a massive ISP routing table containing tens of thousands of complex /32 granular policies, the policy retrieval and enforcement occurs in the same sub-microsecond processing window.

There is no structural limit to the complexity of the tenant environment we can protect. As the downstream client base expands, the CoreEdge mitigation engine absorbs the new routing policies without surrendering a single packet of throughput capacity or adding a nanosecond of lookup delay.

Empowering the Downstream Client

Because CoreEdge’s tenant isolation is absolute at the architectural level, it enables a revolutionary operational model for hosting providers: True Self-Service Mitigation.

Through CoreTech’s comprehensive API, an ISP can grant their downstream enterprise clients direct control over their own specific slice of the CoreEdge mitigation posture. A client under attack can log into a portal, adjust their own specific TCP thresholds, block specific ASNs targeting their infrastructure, and implement emergency rate limits — and those changes are instantly compiled and injected into the CoreEdge eBPF maps, affecting only their IP space.

The upstream ISP maintains absolute global control and macro-level infrastructure protection, while the downstream client gains the agility and control of a dedicated inline appliance.

In the modern threat landscape, attackers frequently utilize “carpet bombing” techniques — simultaneously attacking hundreds of randomized IPs across an ISP’s network to evade threshold detection. Against a unified, multi-tenant CoreEdge deployment, these attacks encounter not a confused global rate limit, but thousands of precision-calibrated individual shields, operating in perfect isolation, at the absolute speed of silicon.