Cloudflare's Programmable Flow Protection for Custom DDoS Mitigation

The Challenge of UDP DDoS Mitigation

Traditional DDoS mitigation systems excel at protecting well-known protocols like TCP and standard DNS, as they understand their structure and expected behavior. However, custom or proprietary UDP-based protocols, often used in online gaming, VoIP, and video streaming for their speed, pose a significant challenge. Without specific protocol knowledge, generic DDoS defenses are limited to crude measures like blanket blocking or rate limiting an IP/port, which can inadvertently drop legitimate traffic alongside malicious packets, effectively aiding the attacker.

Introducing Programmable Flow Protection

Cloudflare's Programmable Flow Protection (PFP) addresses this gap by empowering customers to define their own DDoS mitigation logic using eBPF programs. These programs are deployed across Cloudflare's global network, running in userspace (for security and flexibility) after standard DDoS mitigations. This allows customers to leverage their deep understanding of their application's protocol to differentiate between legitimate and malicious UDP traffic at the network edge.

Key Capabilities and Architectural Benefits

• Custom Packet Filtering: eBPF programs can inspect UDP packet payloads for application-specific patterns, like unique tokens in game headers, to decide whether to pass or drop traffic.
• Stateful Tracking: Unlike stateless firewalls, PFP programs can maintain state about client IPs across packet executions. This is crucial for detecting and mitigating advanced attacks like replay attacks.
• Custom Challenges: The platform provides helper functions to issue cryptographic challenges to suspicious clients. Legitimate clients (e.g., a gaming client) can solve these challenges, while automated attack scripts cannot, allowing PFP to block only malicious traffic.
• Global Network Scale: By integrating with Cloudflare's Magic Transit, these custom mitigations are deployed across a vast global network, providing massive capacity to absorb and filter attacks close to their source.

#include <linux/ip.h>
#include <linux/udp.h>
#include <arpa/inet.h>
#include "cf_ebpf_defs.h"
#include "cf_ebpf_helper.h"

uint64_t cf_ebpf_main(void *state) {
    // ... (simplified for illustration)
    uint8_t status;
    if (cf_ebpf_get_source_ip_status(&status) != 0) {
        return CF_EBPF_DROP;
    }
    switch (status) {
        case NONE: // Issue a custom challenge
            issue_challenge();
            cf_ebpf_set_source_ip_status(CHALLENGED);
            return CF_EBPF_DROP;
        case CHALLENGED: // Verify challenge response
            if (verify_challenge()) {
                cf_ebpf_set_source_ip_status(VERIFIED);
                return CF_EBPF_PASS;
            } else {
                cf_ebpf_set_source_ip_status(BLOCKED);
                return CF_EBPF_DROP;
            }
        case VERIFIED: return CF_EBPF_PASS;
        case BLOCKED: return CF_EBPF_DROP;
        default: return CF_EBPF_PASS;
    }
    return CF_EBPF_PASS;
}

This functionality represents a significant evolution in network security architecture, moving beyond static firewall rules to dynamic, programmable defense mechanisms that are highly adaptable to specific application requirements and evolving threat landscapes. It empowers organizations to build custom security logic directly into the network edge, combining granular control with the immense scale of a global CDN/security provider.