Cloudflare has launched Programmable Flow Protection in beta for Magic Transit Enterprise customers, allowing them to write custom eBPF programs that define DDoS mitigation logic for proprietary or custom UDP protocols. Previously, Cloudflare's DDoS systems could only protect well-known protocols; unknown UDP traffic could only be rate-limited or blocked entirely, harming legitimate users. With this feature, customers upload eBPF programs that run across Cloudflare's global network to inspect, pass, drop, or challenge individual packets based on application-specific logic. The platform supports stateful flow tracking and cryptographic challenges, enabling defenses against replay attacks. Code examples demonstrate filtering by application header values and statefully managing client verification states.
Table of contents
Programmable Flow Protection is customizableThe problem of UDP-based attacksHow Programmable Flow Protection worksCombining customer knowledge with Cloudflare’s networkGoing beyond firewalls: stateful tracking and challengesGet started todaySort: