We’re proud to introduce Programmable Circulation Safety: a system designed to let Magic Transit clients implement their very own customized DDoS mitigation logic and deploy it throughout Cloudflare’s world community. This permits exact, stateful mitigation for customized and proprietary protocols constructed on UDP. It’s engineered to offer the very best potential stage of customization and suppleness to mitigate DDoS assaults of any scale.
Programmable Circulation Safety is presently in beta and obtainable to all Magic Transit Enterprise clients for an extra value.
Programmable Circulation Safety is customizable
Our present DDoS mitigation methods have been designed to know and shield common, well-known protocols from DDoS assaults. For instance, our Superior TCP Safety system makes use of particular recognized traits in regards to the TCP protocol to difficulty challenges and set up a shopper’s legitimacy. Equally, our Superior DNS Safety builds a per-customer profile of DNS queries to mitigate DNS assaults. Our generic DDoS mitigation platform additionally understands frequent patterns throughout a wide range of different well-known protocols, together with NTP, RDP, SIP, and lots of others.
Nonetheless, customized or proprietary UDP protocols have at all times been a problem for Cloudflare’s DDoS mitigation methods as a result of our methods should not have the related protocol information to make clever selections to move or drop visitors.
Programmable Circulation Safety addresses this hole. Now, clients can write their very own eBPF program that defines what “good” and “bad” packets are and learn how to cope with them. Cloudflare then runs this system throughout our complete world community. This system can select to both drop or problem “bad” packets, stopping them from reaching the client’s origin.
The issue of UDP-based assaults
UDP is a connectionless transport layer protocol. Not like TCP, UDP has no handshake or stateful connections. It doesn’t promise that packets will arrive so as or precisely as soon as. UDP as a substitute prioritizes pace and ease, and is due to this fact well-suited for on-line gaming, VoIP, video streaming, and another use case the place the appliance requires real-time communication between purchasers and servers.
Our DDoS mitigation methods have at all times been in a position to detect and mitigate assaults towards well-known protocols constructed on high of UDP. For instance, the usual DNS protocol is constructed on UDP, and every DNS packet has a widely known construction. If we see a DNS packet, we all know learn how to interpret it. That makes it simpler for us to detect and drop DNS-based assaults.
Sadly, if we don’t perceive the protocol inside a UDP packet’s payload, our DDoS mitigation methods have restricted choices obtainable at mitigation time. If an attacker sends a big flood of UDP visitors that doesn’t match any recognized patterns or protocols, Cloudflare can both completely block or apply a fee restrict to the vacation spot IP and port mixture. It is a crude “last line of defense” that’s solely meant to maintain the remainder of the client’s community on-line, and it may be painful in a pair methods.
First, a block or a generic fee restrict doesn’t distinguish good visitors from unhealthy, which suggests these mitigations will seemingly trigger respectable purchasers to expertise lag or connection loss — doing the attacker’s job for them! Second, a generic fee restrict might be too strict or too lax relying on the client. For instance, a buyer who expects to obtain 1Gbps of respectable visitors most likely wants extra aggressive fee limiting in comparison with a buyer who expects to obtain 25Gbps of respectable visitors.
An illustration of UDP packet contents. A person can outline a sound payload and reject visitors that doesn’t match the outlined sample.
The Programmable Circulation Safety platform was constructed to handle this downside by permitting our clients to dictate what “good” versus “bad” visitors really appears to be like like. A lot of our clients use customized or proprietary UDP protocols that we don’t perceive — and now we don’t need to.
How Programmable Circulation Safety works
In earlier weblog posts, we’ve described how “flowtrackd”, our stateful community layer DDoS mitigation system, protects Magic Transit customers from complicated TCP and DNS assaults. We’ve additionally described how we use Linux applied sciences like XDP and eBPF to effectively mitigate frequent sorts of massive scale DDoS assaults.
Programmable Circulation Safety combines these applied sciences in a novel approach. With Programmable Circulation Safety, a buyer can write their very own eBPF program that decides whether or not to move, drop, or problem particular person packets based mostly on arbitrary logic. A buyer can add this system to Cloudflare, and Cloudflare will execute it on each packet destined to their community. Packages are executed in userspace, not kernel house, which permits Cloudflare the pliability to help a wide range of clients and use instances on the platform with out compromising safety. Programmable Circulation Safety packages run in any case of Cloudflare’s present DDoS mitigations, so customers nonetheless profit from our normal safety protections.
There are numerous similarities between an XDP eBPF program loaded into the Linux kernel and an eBPF program operating on the Programmable Circulation Safety platform. Each sorts of packages are compiled all the way down to BPF bytecode. They’re each run via a “verifier” to make sure reminiscence security and confirm program termination. They’re additionally executed in a quick, light-weight VM to offer isolation and stability.
Nonetheless, eBPF packages loaded into the Linux kernel make use of many Linux-specific “helper functions” to combine with the community stack, keep state between program executions, and emit packets to community units. Programmable Circulation Safety presents the identical performance every time a buyer chooses, however with a unique API tailor-made particularly to implement DDoS mitigations. For instance, we’ve constructed helper features to retailer state about purchasers between program executions, carry out cryptographic validation, and emit problem packets to purchasers. With these helper features, a developer can use the facility of the Cloudflare platform to guard their very own community.
Combining buyer information with Cloudflare’s community
Let’s step via an instance as an example how a buyer’s protocol-specific information might be mixed with Cloudflare’s community to create highly effective mitigations.
Say a buyer hosts a web-based gaming server on UDP port 207. The sport engine makes use of a proprietary software header that’s particular to the sport. Cloudflare has no information of the construction or contents of the appliance header. The client will get hit by DDoS assaults that overwhelm the sport server and gamers report lag in gameplay. The assault visitors comes from extremely randomized supply IPs and ports, and the payload information seems to be random as nicely.
To mitigate the assault, the client can use their information of the appliance header and deploy a Programmable Circulation Safety program to verify a packet’s validity. On this instance, the appliance header comprises a token that’s distinctive to the gaming protocol. The client can due to this fact write a program to extract the final byte of the token. This system passes all packets with the right worth current and drops all different visitors:
#embrace
#embrace
#embrace
#embrace "cf_ebpf_defs.h"
#embrace "cf_ebpf_helper.h"
// Customized software header
struct apphdr {
uint8_t model;
uint16_t size; // Size of the variable-length token
uint8_t token[0]; // Variable-length token
} __attribute__((packed));
uint64_t
cf_ebpf_main(void *state)
{
struct cf_ebpf_generic_ctx *ctx = state;
struct cf_ebpf_parsed_headers headers;
struct cf_ebpf_packet_data *p;
// Parse the packet headers with offered helper operate
if (parse_packet_data(ctx, &p, &headers) != 0) {
return CF_EBPF_DROP;
}
// Drop packets not destined to port 207
struct udphdr *udp_hdr = (struct udphdr *)headers.udp;
if (ntohs(udp_hdr->dest) != 207) {
return CF_EBPF_DROP;
}
// Get software header from UDP payload
struct apphdr *app = (struct apphdr *)(udp_hdr + 1);
if ((uint8_t *)(app + 1) > headers.data_end) {
return CF_EBPF_DROP;
}
// Carry out reminiscence checks to fulfill the verifier
// and entry the token safely
if ((uint8_t *)(app->token + token_len) > headers.data_end) {
return CF_EBPF_DROP;
}
// Test the final byte of the token towards anticipated worth
uint8_t *last_byte = app->token + token_len - 1;
if (*last_byte != 0xCF) {
return CF_EBPF_DROP;
}
return CF_EBPF_PASS;
} An eBPF program to filter packets in accordance with a worth within the software header.
This program leverages application-specific info to create a extra focused mitigation than Cloudflare is able to crafting by itself. Prospects can now mix their proprietary information with the capability of Cloudflare’s world community to soak up and mitigate large assaults higher than ever earlier than.
Going past firewalls: stateful monitoring and challenges
Many sample checks, just like the one carried out within the instance above, might be achieved with conventional firewalls. Nonetheless, packages present helpful primitives that aren’t obtainable in firewalls, together with variables, conditional execution, loops, and process calls. However what actually units Programmable Circulation Safety other than different options is its skill to statefully monitor flows and problem purchasers to show they’re actual. A typical sort of assault that showcases these skills is a replay assault.
In a replay assault, an attacker repeatedly sends packets that had been legitimate at some level, and due to this fact conform to anticipated patterns of the visitors, however are now not legitimate within the software’s present context. For instance, the attacker may file a few of their legitimate gameplay visitors and use a script to duplicate and transmit the identical visitors at a really excessive fee.
With Programmable Circulation Safety, a person can deploy a program that challenges suspicious purchasers and drops scripted visitors. We will prolong our unique instance as follows:
#embrace
#embrace
#embrace
#embrace "cf_ebpf_defs.h"
#embrace "cf_ebpf_helper.h"
uint64_t
cf_ebpf_main(void *state)
{
// ...
// Get the standing of this supply IP (statefully tracked)
uint8_t standing;
if (cf_ebpf_get_source_ip_status(&standing) != 0) {
return CF_EBPF_DROP;
}
change (standing) {
case NONE:
// Subject a customized problem to this supply IP
issue_challenge();
cf_ebpf_set_source_ip_status(CHALLENGED);
return CF_EBPF_DROP;
case CHALLENGED:
// Test if this packet passes the problem
// with customized logic
if (verify_challenge()) {
cf_ebpf_set_source_ip_status(VERIFIED);
return CF_EBPF_PASS;
} else {
cf_ebpf_set_source_ip_status(BLOCKED);
return CF_EBPF_DROP;
}
case VERIFIED:
// This supply IP has handed the problem
return CF_EBPF_PASS;
case BLOCKED:
// This supply IP has been blocked
return CF_EBPF_DROP;
default:
return CF_EBPF_PASS;
}
return CF_EBPF_PASS;
}
An eBPF program to problem UDP connections and statefully handle connections. This instance has been simplified for illustration functions.
This system statefully tracks the supply IP addresses it has seen and emits a packet with a cryptographic problem again to unknown purchasers. A respectable shopper operating a sound gaming shopper is ready to appropriately resolve the problem and reply with proof, however the attacker’s script isn’t. Site visitors from the attacker is marked as “blocked” and subsequent packets are dropped.
With these new skills, clients can statefully monitor flows and ensure solely actual, verified purchasers can ship visitors to their origin servers. Though now we have targeted the instance on gaming, the potential use instances for this expertise prolong to any UDP-based protocol.
We’re excited to supply the Programmable Circulation Safety function to Magic Transit Enterprise clients. Discuss to your account supervisor to be taught extra about how one can allow Programmable Circulation Safety to assist maintain your infrastructure protected.
We’re nonetheless in energetic improvement of the platform, and we’re excited to see what our customers construct subsequent. In case you are not but a Cloudflare buyer, tell us should you’d like to guard your community with Cloudflare. Be part of our Programmable Circulation Safety Discord channel to speak with us about this function.
