Is it all just marketing? What is CloudFlare REALLY capable of?

Hey,

assuming I used Cloudflare Spectrum or Magic Transit to protect my UDP application/game server, assuming the attacker sent spoofed high-bandwidth UDP packets (false source IP) from multiple locations, HOW IN THE WORLD could Cloudflare mitigate that?? UDP is stateless/connectionless, it wouldn’t be able to block off the attack without blocking all traffic from all or new users who are legitimately communicating with the server, some of which perhaps do so for the first time.

Can somebody explain if Cloudflare’s UDP protection is all but just marketing, or actually effective against the type of attacks that contain:

  • Near perfect heuristics
  • Perfect payload and size as legitimate users
  • Spoofed IPs targeting UDP server

How possibly could Cloudflare mitigate this? Does it have some hyper-advanced out-of-the-world technology to see whether an IP is spoofed?! I believe it would let all traffic pass and just not be effective at all, unless somebody convinces me that they truly have the capability to mitigate such attack scenarios.

Thanks.

DNS is a UDP application and gets attacked all the time, but gets protected so it’s obviously possible.

We use Spectrum for our custom UDP applications. While you are right that if exact packets are crafted that match the application it is harder to mitigate, there’s a few features that would help.

When you allocate a Spectrum application, all 65535 ports are open at the Cloudflare edge on the application IP address. We see attack traffic across ports and protocols in the logs. That’s where almost all the ■■■■ appears. People just throw stuff at it. We rarely see anything actually pick out the ports we use. The stateless nature of UDP helps here since a connection isn’t acknowledged and terminated by the proxy as a TCP application would, nothing happens and packets are dropped silently.

Obviously only the packets on the ports you choose is forwarded to your origin. This helps because even if a port isn’t open on your firewall, a flood of junk UDP traffic could still fill your server’s pipe and deny service so by keeping the IP hidden (fully firewalled apart from Cloudflare and our break-glass IP so doesn’t show on port scans) only required traffic reaches our ISP and server. That again is more common than targetting an application directly.

Spoofed IPs I would assume are dealt with by the number of Cloudflare’s data centres and the peering. A spoofed IP address that should be from a network in the US shouldn’t first arrive at a Cloudflare data centre in Europe. Those can be dropped.

That leaves UDP packets that look like the application from the correct network. In our case the application is custom, so we drop out-of-spec packets silently at our origin. When hidden among the 65535 open ports, this doesn’t give anything away about what’s there. There’s probably some rate change and other detection algorithms to help as well, but no idea what those may be.

Firewalling on Spectrum uses the WAF IP rules so you can filter by IP - but that also affects the regular HTTP proxying if on the same zone. A staffer hinted to me a better firewall is on the to-do list.

Spectrum is an enterprise feature since you need a dedicated IPv4 address for each application. You can delete the application and recreate it with another IPv4 address at any time to dodge a targetted attack (although obviously they could follow the DNS, but there’s ways round that).

Since Spectrum is enterprise only, if an attack does happen that doesn’t mitigate well enough, 24/7 emergency support is just a phone call away.

It is an expensive feature for us, but we wouldn’t want to be without it now.

2 Likes

Hi, please send this inquiry to [email protected]
We will take a look and provide detailed info.

Thanks!

1 Like

Is it possible to implement an acknowledgment system for reliable UDP protocols such as ENet and RakNet on Cloudflare’s Edge? So that the first connection request + udp application layer handshake is done on Cloudflare’s Edge before re-routing traffic to the origin servers?

Is the Cloudflare Team able to implement something like this on the Edge? Or even better, are customers able to define such a handshale themselves via e.g a panel that allows for wireshark-like expressions or perhaps different logical expressions?

Essentially I am just wondering if Cloudflare Spectrum for UDP has a deeper understanding of these reliable wrappers of the UDP protocol, namely ENet and RakNet…

No it doesn’t. It just forwards packets (with the option to add a header to pass the real client IP and port information).

The ability to build Workers to handle incoming UDP connections is supposedly coming (and would be game changing for our product as we scale, so I remind my CSM from time-to-time that I’d be happy to alpha test it!) so then you could build anything you want on the edge…

Hi there,
I really like the idea and want to check if we can build it for you.
Can you please email [email protected] - I’ll add my engineers so we can check and what we need to build it.

Many thanks,
Botir from Cloudflare Gaming

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.