1. Programmable Flow Protection is a new closed beta feature for Magic Transit customers to mitigate Layer 7 UDP-based DDoS attacks.
2. It allows users to upload custom eBPF programs written in C for protocol-aware inspection and filtering of UDP traffic.
3. The feature is designed for environments with specialized UDP traffic, such as gaming, financial services, VoIP, and streaming workloads.
4. Configuration is managed via Cloudflare’s API, supporting various network topologies and only inspecting ingress traffic.
5. It extends Cloudflare’s DDoS protection capabilities with customizable, protocol-specific mitigation options.
Cloudflare Launches Programmable Flow Protection in Beta
Cloudflare has rolled out a new feature called Programmable Flow Protection in a closed beta for users of Magic Transit. This feature aims to combat complex DDoS attacks especially targeting custom and standard UDP-based Layer 7 protocols. This upgrade is available as an add-on option for Magic Transit, whether users are using their own IP addresses or Cloudflare’s leased IPs.
Designed For Specialized Traffic and Critical Workloads
As detailed by Cloudflare, this feature specifically caters to environments managing unique UDP traffic, like gaming, financial sectors, VoIP calls, telecom, and streaming services. It’s positioned as an enhancement to Magic Transit’s existing DDoS protection suite, which includes Advanced TCP and DNS Protections. The platform aims to provide users better security and control options for demanding UDP workloads.
Customizable Packet Inspection
One of the key benefits of Programmable Flow Protection is its capacity for uploading custom packet-processing programs written in C. These programs undergo validation, compilation, and are then distributed across Cloudflare’s network as eBPF programs operating in user space. This approach gives operators the ability to examine UDP traffic with protocol-specific logic, helping them decide which packets to permit or block in real-time.
Foundation and API Management
The system relies on Cloudflare’s Flowtrackd, a stateful mitigation engine supporting various network topologies. Nonetheless, it only inspects incoming traffic (ingress). Customers can configure and manage these settings using Cloudflare’s API, which provides endpoints for program uploads, rule creation, configuration listings, and deletion. This flexibility allows tailored responses based on specific network needs.
Extending Cloudflare’s Security Platform
Magic Transit is Cloudflare’s comprehensive service for securing and optimizing networks whether they’re on-premises, cloud-based, or hybrid. The addition of Programmable Flow Protection broadens its capabilities by allowing more personalized UDP traffic inspection and attack mitigation. This is especially useful for services that do not conform to typical mitigation strategies.
Ongoing Development and Availability
According to Cloudflare’s DDoS documentation, Programmable Flow Protection enables deploying custom eBPF packet logic to scrutinize and defend against attacks targeting UDP Layer 7 protocols. However, the feature is currently in a closed beta stage, with general availability yet to be announced. Though promising, it remains an advanced tool for select users at this time.