Notebookcheck Logo

Cloudflare debuts C-based custom DDoS shields for Magic Transit

Cloudflare has added Programmable Flow Protection to Magic Transit, giving customers custom eBPF-based DDoS mitigation for UDP-based Layer 7 traffic.
ⓘ Cloudfare.com
Cloudflare has added Programmable Flow Protection to Magic Transit, giving customers custom eBPF-based DDoS mitigation for UDP-based Layer 7 traffic.
Cloudflare’s new closed beta lets Magic Transit customers upload custom eBPF-based logic to detect and filter DDoS traffic aimed at specialized UDP protocols such as gaming, VoIP, telecom, and streaming.
Software Security Network

Cloudflare has introduced Programmable Flow Protection, a new closed beta feature for Magic Transit customers that is designed to mitigate DDoS attacks aimed at custom or standardized Layer 7 UDP-based protocols. Cloudflare says the feature is available as an add-on for Magic Transit deployments using either Bring Your Own IP or Cloudflare-leased IPs.

According to Cloudflare’s documentation, the feature is intended for environments that rely on specialized UDP traffic, including gaming, financial services, VoIP, telecom, and streaming workloads. Cloudflare positions it as part of its Advanced DDoS Protection systems for Magic Transit, alongside Advanced TCP Protection and Advanced DNS Protection.

Customers can upload custom packet logic in C

Cloudflare says Programmable Flow Protection allows customers to upload their own stateful packet-processing programs written in C. Those programs are then validated, compiled, and deployed across Cloudflare’s network as eBPF programs running in user space. The goal is to let operators inspect UDP application traffic with protocol-aware logic and decide whether packets should be allowed or blocked.

The company says the system is built on Flowtrackd, its stateful mitigation platform. It supports both asymmetric and symmetric topologies, but Cloudflare notes that the feature only inspects ingress traffic. Configuration is handled through Cloudflare’s API, which includes endpoints for uploading programs, creating rules, listing configurations, and deleting them.

Feature arrives as an add-on for Cloudflare’s network-layer DDoS platform

Magic Transit is Cloudflare’s network security and performance service for on-premises, cloud-hosted, and hybrid networks, offering DDoS protection and traffic handling at the IP layer. With Programmable Flow Protection, Cloudflare is extending that platform with a more customizable option for customers whose UDP-based services may not fit standard mitigation profiles.

Cloudflare’s DDoS documentation describes Programmable Flow Protection as a way to deploy custom eBPF packet logic across its network to inspect and mitigate attacks against UDP-based Layer 7 protocols. The company has not listed general availability yet, and the feature remains in closed beta at the time of writing in its official docs.

Source(s)

Cloudflare

Please share our article, every link counts!
Mail Logo
Google Logo Add as a preferred
source on Google
static version load dynamic
Loading Comments
Comment on this article

Related Articles

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 04 > Cloudflare debuts C-based custom DDoS shields for Magic Transit
Darryl Linington, 2026-04- 1 (Update: 2026-04- 1)