Programmable Flow Protection for Magic Transit Customers

Programmable Flow Protection is a customizable DDoS mitigation system developed for Magic Transit customers. This solution offers advanced stateful mitigation for custom and proprietary UDP protocols, running across Cloudflare's global network. Currently in beta, it is available to Magic Transit Enterprise users at an additional cost. Customers can contact their account team to participate in the beta program.

Customizable DDoS Mitigation Logic

Traditional DDoS mitigation systems are optimized for popular protocols like TCP and DNS. These systems use predefined characteristics to identify and mitigate attacks effectively. For example, Advanced TCP Protection analyzes known traits of TCP traffic, while Advanced DNS Protection evaluates customer-specific DNS query patterns. These solutions have proven effective for well-documented protocols but face challenges with custom or less common traffic patterns.

Programmable Flow Protection fills this gap by allowing users to define their own mitigation logic. This approach grants customers the ability to address unique threats targeting their proprietary protocols. By leveraging eBPF programs, users can customize how traffic is evaluated and filtered across Cloudflare's infrastructure, ensuring greater control over network security.

Addressing Challenges with UDP-Based Attacks

UDP, as a connectionless transport layer protocol, poses unique challenges for DDoS mitigation. Unlike TCP, UDP does not establish a stateful connection or guarantee packet delivery in sequence. This design prioritizes speed and low latency, making it ideal for applications like online gaming and video streaming. However, these characteristics also make UDP more susceptible to abuse in DDoS attacks.

Programmable Flow Protection enables customers to mitigate UDP-based threats by defining what constitutes legitimate traffic. The system allows for granular control, helping to prevent malicious packets from overwhelming application servers while ensuring uninterrupted service for legitimate users.

The Role of eBPF in Programmable Flow Protection

At the core of Programmable Flow Protection is the use of eBPF (extended Berkeley Packet Filter), a powerful technology for processing network traffic. Customers can write eBPF programs to define rules for identifying and handling different types of packets. These programs are then deployed across Cloudflare's global network, ensuring consistent protection at scale.

eBPF allows for real-time decision-making by directly interacting with packets at the kernel level. This capability is particularly advantageous for mitigating complex or large-scale attacks, as it enables highly specific filtering without introducing significant latency.

Enhanced Security for Custom Protocols

Many organizations rely on proprietary or custom protocols that are not natively understood by conventional DDoS protection systems. Programmable Flow Protection offers a solution by empowering users to define mitigation logic tailored to their specific protocols. This ensures that even niche or bespoke applications receive robust protection against evolving threats.

By providing the tools to create custom filters, Cloudflare helps organizations address security challenges unique to their environments. This flexibility is critical for businesses that operate in specialized industries or deploy non-standard communication protocols.

Global Deployment and Scalability

The global reach of Cloudflare's network ensures that Programmable Flow Protection can mitigate DDoS attacks at any scale. The ability to execute custom mitigation logic across multiple data centers provides a distributed and highly effective defense against even the most sophisticated attack vectors.

By deploying custom eBPF programs globally, customers benefit from a unified approach to traffic management. This eliminates the need for localized hardware solutions and ensures that protections are consistent regardless of geographic location. The result is a scalable, efficient, and highly reliable mitigation strategy.

Availability and Participation

Programmable Flow Protection is currently in a beta phase and is available exclusively to Magic Transit Enterprise customers. This offering comes at an additional cost, reflecting the advanced capabilities and customizability it provides. Customers interested in participating in the beta can reach out to their Cloudflare account teams for more information.

This initiative highlights Cloudflare's commitment to addressing the evolving security needs of its customers. By empowering users to take control of their DDoS mitigation strategies, Programmable Flow Protection sets a new standard for customizable network security solutions.