Programmable Flow Protection: Custom DDoS Mitigation for Magic Transit Updated with Technical and Operational Details.
Cloudflare's new feature allows Magic Transit customers to implement custom DDoS mitigation logic, enhancing security and operational control.
Cloudflare launches Programmable Flow Protection, letting Magic Transit customers implement custom DDoS mitigation logic tailored to their specific protocol needs using eBPF, providing advanced and flexible protection within Cloudflare's network.
Introducing Programmable Flow Protection: Customizable DDoS Mitigation for Magic Transit
Cloudflare has introduced Programmable Flow Protection, a new feature for its Magic Transit service that lets customers create custom DDoS mitigation strategies tailored to their unique network traffic and protocol needs. Magic Transit protects infrastructure at the IP layer against volumetric DDoS attacks, but organizations often struggle when attacks target proprietary or uncommon UDP protocols where generic mitigation is not sufficient.
Using Programmable Flow Protection, customers can write eBPF (extended Berkeley Packet Filter) programs to define granular rules. These programs help distinguish legitimate packets from malicious ones within their specific UDP protocols. eBPF code supports stateful inspection and complex logic during packet processing, allowing filters that are more precise than traditional rate limiting or signature-based methods.
These eBPF programs are deployed at Cloudflare's edge servers worldwide, ensuring consistent enforcement close to the attack source. This design delivers high performance with very low latency impact. It combines customers' deep knowledge of their applications with Cloudflare's extensive network to defend against sophisticated, customized DDoS attacks.
- Enables custom DDoS mitigation logic via eBPF programs.
- Supports complex, stateful packet inspection for custom UDP protocols.
- Deploys mitigation logic globally across Cloudflare's edge network.
Tailoring Protection for Custom UDP Protocols and Complex Traffic
UDP-based protocols vary widely across industries including real-time gaming, voice communication like VoIP, financial transaction systems, and industrial control networks. These specialized protocols exhibit unique packet patterns that generic DDoS tools often mishandle, causing false positives or leaving attacks unmitigated.
Programmable Flow Protection lets customers write custom eBPF logic that recognizes legitimate traffic patterns and blocks attack traffic accurately. This tailored defense helps maintain uptime and quality of service where every packet matters and misclassification can be costly.
Industries such as telecommunications, gaming, streaming, and finance benefit the most. They can enforce mitigation rules precisely matching their traffic semantics. It also supports compliance and governance by giving customers control and visibility over filtering logic applied to their data flows.
- Supports games, VoIP, financial services, and industrial control protocols.
- Addresses gaps in DDoS protection for custom UDP-based traffic.
- Allows customers to maintain operational control and visibility.
Operational Deployment and Beta Program Details
As of March 2026, Programmable Flow Protection is in beta and available to Magic Transit Enterprise customers. Enabling the feature generally involves an additional fee and collaboration with Cloudflare's security engineers. This partnership is important because writing and deploying eBPF programs safely requires expertise given the complexity of custom packet filtering.
This feature complements Cloudflare’s existing Magic Transit defenses rather than replacing them. Customers therefore benefit from layered protection: broad volumetric DDoS mitigation combined with precise, protocol-aware filtering based on their custom logic.
Interested customers should contact their Cloudflare account managers or support teams. Cloudflare offers official documentation and best practice guides to help design and operate eBPF filters securely and efficiently. This careful rollout minimizes risks of unintended traffic disruption while maximizing mitigation effectiveness.
- Currently in beta; available to Magic Transit Enterprise customers for an additional cost.
- Requires collaboration with Cloudflare support for eBPF program creation and deployment.
- Integrates seamlessly with existing Magic Transit DDoS protections and network policies.
Sources
This article is based on verified public reporting and primary source material. The links below are the core references used for this writeup.
- Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers from Cloudflare. Primary source from Cloudflare detailing the new Programmable Flow Protection feature and its capabilities for Magic Transit customers.