The rapid increase in the number of Internet of Things (IoT) devices has raised concerns about their security, as they provide an ideal environment for botnets to thrive. For instance, the Mirai botnet infected nearly 65,000 devices within its first 20 hours. With the prevalence of Session Initiation Protocol (SIP) phones and devices on networks today, it is easy for attackers to target and recruit these IoT devices as bots. However, conventional network security measures are insufficient in preventing, detecting, and mitigating attacks on these widely distributed IoT devices. This article introduces microVNF, a Virtualized Network Function (VNF) that uses the programmable data plane feature on the edge switch to address these security concerns. Following the defense-in-depth principle and informed by the Mirai botnet incident, microVNF provides two-stage protection against SIP DDoS attacks - before and after infection. It protects against SIP scanning, enumeration, and dictionary attacks before infection, and blocks botnet registration attempts to the command-and-control (CNC) server after infection. Furthermore, it detects and mitigates botnet SIP DDoS attacks. To validate the effectiveness of microVNF, six experiments were conducted using popular attack tools, which confirmed that it could perform deep-packet inspection of unencrypted SIP packets and detect anomalies from a typical SIP state-machine. The edge switch that contains microVNF serves as the first line of defense in stopping malicious packets from propagating upstream to the core network, in addition to providing physical connectivity to the IoT devices. This approach can be adapted to other text-based, application-layer protocols such as HTTP and SMTP, and it leverages the programmable data planes' inherent capabilities without relying on external devices. Consequently, the microVNF approach is practical for securing edge-computing environments against application-layer attacks.