Subscribe to receive notifications of new posts:

Introducing Spectrum: Extending Cloudflare To 65,533 More Ports

2018-04-12

2 min read

Today we are introducing Spectrum, which brings Cloudflare’s security and acceleration to the whole spectrum of TCP ports and protocols for our Enterprise customers. It’s DDoS protection for any box, container or VM that connects to the internet; whether it runs email, file transfer or a custom protocol, it can now get the full benefits of Cloudflare. If you want to skip ahead and see it in action, you can scroll to the video demo at the bottom.

spectrum-attack

DDoS Protection

The core functionality of Spectrum is its ability to block large DDoS attacks. Spectrum benefits from Cloudflare’s existing DDoS mitigation (which this week blocked a 900 Gbps flood). Spectrum’s DDoS protection has already been battle tested. Just soon as we opened up Spectrum for beta, Spectrum received its first SYN flood.

One of Spectrum's earliest deployments was in front of Hypixel’s infrastructure. Hypixel runs the largest minecraft server, and because gamers can be - uh, passionate - they were one of the earliest targets of the terabit-per-second Mirai botnet. “Hypixel was one of the first subjects of the Mirai botnet DDoS attacks and frequently receives large attacks. Before Spectrum, we had to rely on unstable services and techniques that increased latency, worsening user's experience. Now, we're able to be continually protected without added latency, which makes it the best option for any latency and uptime sensitive service such as online gaming,” Bruce Blair, the CTO at Hypixel, told us.

Another early team we talked to about Spectrum was the security team at Montecito Bank & Trust. As a financial institution, they have a highly technical and active security team; they were also one of the first customers to use Cloudflare’s DNSSEC when it was brand new. Paul Abramson, Montecito Bank & Trust’s Director of Technology told us, “We were looking for a security solution to protect additional services like email and SSH so that if we are subject to attack, our operations can continue to run reliably and securely.”

TLS Support

Security and encryption go hand in hand. With Spectrum, you can terminate TLS at Cloudflare’s edge. The main benefit of TLS termination at the edge is that is speeds up performance (there’s less distance to travel for the three round trips of the TLS handshake).

We think the most interesting outcome is that just by adding support for TLS in the client, Cloudflare can now add encryption to legacy protocols and services that don’t traditionally support encrypted transit.

Firewall

Spectrum integrates with Cloudflare’s IP Firewall so that you can choose which connections should be forwarded to your servers and which should be blocked at Cloudflare’s edge.

This can be managed via API too, so you can write scripts that allow and deny access on the fly.

curl -X POST "https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules" \
     -H "X-Auth-Email: [email protected]" \
     -H "X-Auth-Key: 0000000000000000000" \
     -H "Content-Type: application/json" \
     --data '{"mode":"block","configuration":{"target":"ip","value":"192.0.2.1"}}'

Demo

Many TCP load balancers and proxies can be cumbersome to set up, but Spectrum takes a few clicks. Tito Esterline on our team recorded a demo you can watch below. My suggestion is to play it with audio so you can hear the play by play.

Get In Touch

If you want to get started, get in touch with our team. Today Spectrum is available for applications on the Enterprise plan.

Why just Enterprise? While HTTP can use the Host header to identify services, TCP relies on each service having a unique IP address in order to identify it. Since IPv4 addresses are endangered, it’s quite expensive for us to delegate an IP per application and we needed to limit use. We’re actively thinking about ways to bring Spectrum to everyone. One idea is to offer IPv6-only Spectrum to non-Enterprise customers. Another idea is let anyone use Spectrum but pay for the IPv4 address. We’re not sure yet, but if you prefer one to the other, feel free to comment and let us know.

Oh and P.S. If you want to read about how Spectrum works, Marek wrote a great blog post about the Linux behavior that let us build it.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Product NewsSpectrumDDoSIoTSecurity

Follow on X

Dani Grant|@thedanigrant
Cloudflare|@cloudflare

Related posts

November 20, 2024 10:00 PM

Bigger and badder: how DDoS attack sizes have evolved over the last decade

If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). ...

November 06, 2024 8:00 AM

Exploring Internet traffic shifts and cyber attacks during the 2024 US election

Election Day 2024 in the US saw a surge in cyber activity. Cloudflare blocked several DDoS attacks on political and election sites, ensuring no impact. In this post, we analyze these attacks, as well Internet traffic increases across the US and other key trends....

October 24, 2024 1:00 PM

Durable Objects aren't just durable, they're fast: a 10x speedup for Cloudflare Queues

Learn how we built Cloudflare Queues using our own Developer Platform and how it evolved to a geographically-distributed, horizontally-scalable architecture built on Durable Objects. Our new architecture supports over 10x more throughput and over 3x lower latency compared to the previous version....