ACCORDING to The Cloudflare Blog, Cloudflare has introduced Programmable Flow Protection for Magic Transit customers, a beta feature available to Magic Transit Enterprise customers at an additional cost. The system lets customers write their own eBPF programs to define what constitutes “good” and “bad” traffic and deploy them across Cloudflare’s global network, enabling stateful, customised DDoS mitigation for proprietary UDP protocols.
Programs are executed in userspace after Cloudflare’s existing mitigations, using a set of helper functions to store per-client state, perform cryptographic checks, and emit challenges when needed. The article explains that UDP’s lack of handshake and state can hinder generic mitigations, so this approach allows customers to combine their protocol knowledge with Cloudflare’s network to drop or challenge suspicious traffic more precisely.
An example shows mitigating a gaming server on UDP port 207 by validating a token in a proprietary header, with replay attacks being countered through stateful tracking and challenges. The post notes the feature is still in active development and invites interested users to explore getting started and joining a Discord channel for discussion.