Cloudflare Spectrum — TCP/UDP Protection for Non-HTTP Traffic
In this tutorial, you'll learn about Cloudflare Spectrum. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloudflare Spectrum extends DDoS protection and traffic acceleration to any TCP or UDP application, not just HTTP services. This tutorial explains how Spectrum works, how to configure it for non-web protocols, and how it fits into your overall security architecture.
Why Spectrum Matters
HTTP traffic gets Cloudflare protection automatically, but many applications use custom TCP or UDP protocols. Gaming servers use UDP. Email relays use SMTP over TCP. SSH uses TCP on port 22. Without Spectrum, these services are exposed directly to the internet and vulnerable to layer 3 and layer 4 DDoS attacks.
Real-world use: DodaZIP's enterprise file transfer service uses Spectrum to proxy SFTP traffic on port 22. DDoS attacks that previously saturated the 1 Gbps origin link are now absorbed at Cloudflare's edge, and the service maintains availability during attacks exceeding 1 Tbps.
How Spectrum Works
flowchart LR
C[Client] --> E1[Cloudflare Edge]
E1 --> E2[Cloudflare Network]
E2 --> O[Origin Server]
subgraph Spectrum Proxy
E1
E2
end
C -.->|TCP/UDP| E1
E2 -.->|TCP/UDP| O
style C fill:#09c,color:#fff
style O fill:#090,color:#fff
style Spectrum Proxy fill:#f90,color:#fff
Spectrum vs Proxy
The main difference between Cloudflare proxy (orange cloud) and Spectrum is the protocol support.
| Feature | Cloudflare Proxy (HTTP) | Spectrum (TCP/UDP) |
|---|---|---|
| Protocols | HTTP, HTTPS, WebSocket | Any TCP or UDP |
| Port support | Standard web ports | Any port |
| DDoS protection | Layer 7 | Layer 3-4 + optional L7 |
| Caching | Yes | No |
| WAF rules | Yes | No (L4 only) |
Configuring Spectrum
Spectrum requires an Enterprise plan. Configuration happens under the Spectrum tab in the dashboard or via API.
# Create a Spectrum application for SSH (TCP/22)
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"protocol": "tcp/22",
"dns": {
"type": "CNAME",
"name": "ssh.example.com"
},
"origin_direct": ["tcp://203.0.113.10:22"],
"ip_firewall": true,
"proxy_protocol": "off",
"tls": "off",
"traffic_type": "direct"
}'
# Traffic flows: client -> Cloudflare edge -> 203.0.113.10:22
# Create a Spectrum application for UDP gaming server
curl -X POST https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
-H "Authorization: Bearer {api_token}" \
-H "Content-Type: application/json" \
-d '{
"protocol": "udp/27015",
"dns": {
"type": "CNAME",
"name": "game.example.com"
},
"origin_direct": ["udp://203.0.113.20:27015"],
"ip_firewall": true,
"traffic_type": "direct"
}'
# UDP traffic is proxied through Cloudflare's IPFS infrastructure
# Verify Spectrum application status
curl -s https://api.cloudflare.com/client/v4/accounts/{account_id}/spectrum/apps \
-H "Authorization: Bearer {api_token}" | jq '.result[].status'
# Returns "active" or "disabled" for each Spectrum app
DDoS Protection for Non-HTTP Traffic
Spectrum provides layer 3 and layer 4 DDoS mitigation. Attack traffic is dropped at the edge before reaching your origin.
# Enable IP Access Rules for Spectrum
# Navigate to Security > WAF > IP Access Rules
# Apply rules globally or per-Spectrum-app
# Rule example: block traffic from specific countries or ASNs
# Configure rate limiting for Spectrum connections
# Under Security > Rate Limiting, create a rule targeting
# spectrum traffic by destination port
# Example: Max 100 connections per IP per 10 seconds on port 22
FAQ
Practice Questions
- What is the main difference between Cloudflare proxy and Spectrum?
- How does Spectrum protect non-HTTP services from DDoS attacks?
- What configuration changes are needed on the origin side when using Spectrum with TLS termination?
Summary
Cloudflare Spectrum protects any TCP or UDP application with edge-based DDoS mitigation and traffic acceleration. It extends Cloudflare's security capabilities beyond HTTP to protocols like SSH, RDP, gaming, and custom TCP/UDP services. Spectrum requires an Enterprise plan and is configured through the dashboard or API with a DNS record pointing to your origin server.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro