Cloudflare Spectrum | DDoS protection for TCP and UDP services
Open the power of Cloudflare to the entire Internet
If you run TCP or UDP services on your origin, not just web-servers, but also gaming services, remote server access (SSH), or email (SMTP), they are exposed through open ports.
This means malicious attackers can send volumetric DDoS traffic or attempt to snoop sensitive, unencrypted data.
With Spectrum, you can extend the power of Cloudflare's DDoS, TLS, and IP Firewall to not just your web servers, but also your other TCP and UDP-based services, keeping them online and secure.
Chief Technology Officer
Challenges Protecting TCP and UDP Traffic and Ports
Your origin infrastructure is exposed when delivering TCP/UDP services such as: custom gaming protocols, remote server access (SSH), secure file transfer services (SFTP), and email (SMTP).
Attackers can directly send volumetric DDoS traffic to those services, degrading performance. Attackers can also snoop unencrypted traffic on those ports to steal confidential data or credentials.
Cloudflare Spectrum
Spectrum extends the power of Cloudflare to protect not just your web traffic, but your other TCP/UDP ports and protocols from layer 3 and 4 DDoS. Further, by enabling TLS encryption for TCP services, Spectrum reduces the ability for attackers to snoop and steal sensitive data.
Bad IP addresses can be blocked through integration with Cloudflare’s IP Firewall. Now you can protect your origin and all TCP/UDP services you expose to the Internet.
DDoS Protection for TCP/UDP Services
When you run Internet-facing services, such as email, remote access to servers, custom gaming protocols, or secure file transfer, you've exposed your origin infrastructure to direct DDoS through those open ports.
Cloudflare’s Spectrum ensures all your TCP/UDP services are protected against Layer 3 and 4 DDoS attacks, remaining online and performant.
Secure TCP traffic with TLS
If your non-web TCP services include unencrypted sensitive information, your sensitive data is vulnerable to snooping.
Spectrum encrypts services running on TCP to prevent unencrypted data, such as user credentials, from falling into the wrong hands.
IP Address & Range Blocking
Spectrum integrates with Cloudflare’s IP Firewall, allowing you to block or challenge IP addresses or entire IP ranges from reaching your TCP/UDP services.
Easy Configuration in Dashboard or API
Spectrum gives control and flexibility with easy configuration on a per-application basis within the Cloudflare dashboard or API.
Configuration options for Spectrum include:
Domain or Subdomain
Edge Port
Origin IP / Port for Service
Edge Port Specification
TLS (Flexible/Off)
IP Firewall (I/O)
PROXY Protocol (I/O)
Director of Technology
Key Features
Proxy any TCP/UDP traffic through Cloudflare
Configurable on a per-application basis
Whitelist or blacklist IP addresses
Supports any proprietary TCP/UDP protocol
“Always On” Layer 3 and 4 DDoS Protection
Real-time application-specific analytics
Allow TLS passthrough traffic
Easy setup through dashboard UI or API
Load balance layer 4 traffic across multiple origins
Layer 4 health checks
Supports multiple ports on the same hostname or application
Cloudflare Enterprise users can enable Spectrum today
To start using Spectrum, you'll need to be subscribed to a Cloudflare Enterprise plan. By enabling Spectrum, you’ll receive encryption and unmetered mitigation of volumetric DDoS attacks for non-web TCP protocols and ports.
