 |
| Cloudflare has added Programmable Flow Protection to Magic Transit, giving customers custom eBPF-based DDoS mitigation for UDP-based Layer 7 traffic. |
The feature is powered by Flowtrackd, Cloudflare’s stateful mitigation platform. When a Magic Transit customer enables Programmable Flow Protection, they can write a small C program that implements their own packet‑validation rules. Cloudflare’s backend then validates, compiles, and deploys that program across its entire network as a user‑space eBPF program.
Once deployed, every incoming UDP packet matching the configured protocol is handed to the custom program. The program can inspect packet payloads, track connection state (yes, stateful UDP is possible), and decide in real time whether to allow or block the traffic. The system works with both asymmetric and symmetric network topologies, though Cloudflare notes that it currently inspects ingress traffic only – return path decisions are still handled by standard Magic Transit rules.
For a deeper technical dive, including API endpoints for uploading programs and managing configurations, check out the official documentation on Cloudflare’s developer portal right here. The docs walk through everything from writing your first C inspection routine to testing it in a non‑production environment.
Who needs this? Gaming, finance, VoIP, and streaming
Cloudflare explicitly calls out several industries where custom UDP protocols are common – and where DDoS attacks have become increasingly sophisticated.
- Gaming – Many online games use proprietary UDP‑based protocols for low‑latency position updates, matchmaking, or voice chat. Attackers often reverse‑engineer those protocols and launch “logic floods” that look like real player traffic.
- Financial services – High‑frequency trading and market data feeds frequently run over custom UDP to shave milliseconds off latency. A well‑crafted application flood can bypass simple packet‑per‑second limits.
- VoIP and telecom – SIP and RTP traffic over UDP is a perennial DDoS target. Custom inspection logic can validate call‑ID sequences, user agents, or transaction states before passing packets to internal PBX systems.
- Streaming workloads – Live video or audio streams using proprietary UDP transports (e.g., some WebRTC implementations or custom CDN edge protocols) benefit from protocol‑aware filtering.
For these use cases, Programmable Flow Protection acts as a last line of defence before traffic ever reaches the customer’s origin infrastructure.
Magic Transit’s evolving DDoS toolkit
Magic Transit is Cloudflare’s IP‑layer security and performance service for on‑premises, cloud‑hosted, or hybrid networks. It already includes powerful DDoS scrubbing, but until now customisation has been limited to TCP‑specific protections. The new UDP feature sits alongside Advanced TCP Protection (which handles SYN floods, ACK floods, and TCP state exhaustion) and Advanced DNS Protection (for authoritative and recursive DNS servers).
Crucially, Programmable Flow Protection is available as an add‑on for existing Magic Transit customers, regardless of whether they use Bring Your Own IP (BYOIP) or Cloudflare‑leased IP addresses. Configuration is handled entirely through Cloudflare’s API, with dedicated endpoints for:
- Uploading compiled or source‑level C programs
- Creating rules that map specific UDP ports or protocol identifiers to a program
- Listing active configurations
- Deleting or updating programs without taking down the whole mitigation
The API‑first approach suggests Cloudflare expects advanced users – likely larger engineering teams – to integrate custom DDoS logic directly into their infrastructure‑as‑code pipelines.
Closed beta, no GA date yet
At the time of writing, Programmable Flow Protection remains in closed beta. Cloudflare has not announced a general availability date, and the feature is not listed as part of standard Magic Transit SKUs. Interested customers are likely expected to contact their Cloudflare account team for access.
That said, the fact that Cloudflare has already published detailed developer documentation (including C code examples and eBPF constraints) indicates a full launch is probably a few months out – not years. For now, the beta is limited to Magic Transit customers who can demonstrate a genuine need for custom UDP inspection and are willing to test early‑stage software.
The bigger picture: programmable edge security
Cloudflare’s move mirrors a broader industry trend toward programmable network security. Instead of forcing every customer into a fixed set of DDoS rules, the company is opening up its edge to user‑supplied code. eBPF (extended Berkeley Packet Filter) has become the go‑to technology for safe, high‑performance kernel and user‑space packet processing – and Cloudflare has been a vocal advocate for eBPF in production.
What makes this announcement noteworthy is the stateful component. Most eBPF packet filters are stateless (each packet is examined in isolation). By building on Flowtrackd, Cloudflare allows custom UDP programs to maintain session state, track sequence numbers, or even implement challenge‑response mechanisms – all running at line rate across their global network.
For security teams tired of playing whack‑a‑mole with application‑layer UDP floods, that level of customisation could be a game changer. The only question now is how many Magic Transit customers will take Cloudflare up on the offer to write C code for their DDoS pipeline – and how many will wait for a more polished, UI‑driven version.
Source: Cloudflare official documentation and developer portal.