Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers
Magic Transit customers can now program their own DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary UDP protocols.
Cloudflare has announced the launch of Programmable Flow Protection, a new feature designed to give Magic Transit customers the ability to create their own custom DDoS mitigation logic and deploy it across the company's global network. This innovative solution enables precise, stateful mitigation for custom and proprietary UDP protocols, addressing a long-standing challenge for Cloudflare's DDoS mitigation systems.
Programmable Flow Protection is currently in beta and available to all Magic Transit Enterprise customers for an additional cost. Customers interested in joining the beta can contact their account team or sign up on the designated page. The system is engineered to provide the highest possible level of customization and flexibility to mitigate DDoS attacks of any scale.
Cloudflare's existing DDoS mitigation systems have been designed to understand and protect popular, well-known protocols from DDoS attacks. For example, the Advanced TCP Protection system uses specific known characteristics of the TCP protocol to issue challenges and establish a client's legitimacy. Similarly, the Advanced DNS Protection builds a per-customer profile of DNS queries to mitigate DNS attacks. The generic DDoS mitigation platform also understands common patterns across a variety of other well-known protocols, including NTP, RDP, SIP, and many others.
However, custom or proprietary UDP protocols have always been a challenge for Cloudflare's DDoS mitigation systems because they lack the relevant protocol knowledge to make intelligent decisions about whether to pass or drop traffic. Programmable Flow Protection addresses this gap by allowing customers to write their own eBPF program that defines what "good" and "bad" packets are and how to deal with them. Cloudflare then runs the program across its entire global network. The program can choose to either drop or challenge "bad" packets, preventing them from reaching the customer's origin.
UDP is a connectionless transport layer protocol, unlike TCP, which has no handshake or stateful connections and does not promise that packets will be delivered in order. This makes UDP-based attacks particularly challenging to mitigate, as there is no established state or handshake to analyze. Programmable Flow Protection provides a solution to this problem by enabling customers to define their own rules for identifying and mitigating DDoS attacks on their custom UDP protocols.
By introducing Programmable Flow Protection, Cloudflare is further enhancing its commitment to providing flexible and customizable DDoS mitigation solutions for its Magic Transit customers. This new feature allows businesses with unique UDP-based protocols to protect themselves against DDoS attacks more effectively, ensuring the resilience and continuity of their operations.
