Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers
Magic Transit customers can now program their own DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary UDP protocols.
Cloudflare has announced the launch of Programmable Flow Protection, a new feature designed to empower Magic Transit customers with the ability to create their own custom DDoS mitigation logic. This innovative system allows users to deploy their own protocol-specific rules across Cloudflare's global network, providing precise, stateful mitigation for custom and proprietary UDP-based protocols.
Programmable Flow Protection is a response to the long-standing challenge of protecting custom or proprietary UDP protocols, which have traditionally been difficult for Cloudflare's DDoS mitigation systems to handle effectively. Unlike well-known protocols like TCP, UDP lacks a handshake or stateful connections, making it challenging for existing systems to identify and mitigate attacks.
Cloudflare's existing DDoS mitigation solutions, such as Advanced TCP Protection and Advanced DNS Protection, are built on the understanding of specific protocol characteristics. For instance, Advanced TCP Protection uses known characteristics of the TCP protocol to challenge and verify the legitimacy of incoming traffic. Similarly, Advanced DNS Protection builds a per-customer profile of DNS queries to identify and mitigate DNS attacks. However, these systems struggle with custom or proprietary UDP protocols due to the lack of relevant protocol knowledge.
Programmable Flow Protection addresses this gap by allowing customers to write their own eBPF programs that define what constitutes "good" and "bad" packets and how to handle them. These programs are then executed across Cloudflare's entire global network, enabling the system to drop or challenge "bad" packets before they reach the customer's origin. This level of customization and flexibility ensures that DDoS attacks of any scale can be effectively mitigated.
The feature is currently in beta and available to all Magic Transit Enterprise customers for an additional cost. Customers interested in joining the beta can contact their account team or sign up on the designated page.
The introduction of Programmable Flow Protection underscores Cloudflare's commitment to providing tailored solutions for its customers' unique needs. By empowering users with the ability to create custom DDoS mitigation logic, Cloudflare is further solidifying its position as a leader in cybersecurity and network protection.
In the ever-evolving landscape of cyber threats, the ability to adapt and respond to new challenges is crucial. With Programmable Flow Protection, Magic Transit customers can now take control of their DDoS mitigation strategies, ensuring that their custom and proprietary UDP protocols are protected against sophisticated attacks. This innovative feature not only enhances security but also fosters a more resilient and adaptable ecosystem for businesses and organizations reliant on custom network protocols.
