This article is more than 1 year old

Cloudflare promises to tend not two, but 65,535 ports in a storm

But no Daily Stormer please

Cloudflare made its name proxying traffic for web servers, on network ports 80 (HTTP) and 443 (HTTPS), as a defense against denial of service attacks and their ilk.

On Thursday, the online security biz broadened its ambitions by extending its watch over the remaining possible TCP/IP network ports under IPv4.

Cloudflare introduced a service called Spectrum, saying its distributed denial of service protection, load balancing and content acceleration service now extends to 65,533 more ports.

Though the math ads up – 65,533 plus 2, for ports 80 and 443, equals 65535, covering the full spectrum of ports from 1 to 216-1 – there's a bit of fudging here. Cloudflare previously proxied a handful of other ports beyond those used for websites, even if it only accommodated two for Cloudflare Apps.

But quibbling aside, the upshot is that all sorts of other TCP-based protocols can be shielded, shifted and sped up, at least for Cloudflare enterprise customers.


CloudFlare CEO blasts Anonymous claims of ISIS terrorist support


That means services running on other ports like email servers, SSH, IoT devices, and gaming servers – apart from those affiliated with neo-Nazi hate speech – can take cover behind a prophylactic proxy.

Gaming service Hypixel, the target of DDoS attacks from the Mirai botnet, has been among the organizations testing the service.

"Before Spectrum, we had to rely on unstable services and techniques that increased latency, worsening user's experience," Hypixel's CTO Bruce Blair said. "Now, we're able to be continually protected without added latency, which makes it the best option for any latency and uptime sensitive service such as online gaming."

Making the system work proved to be a minor technical feat. The BSD sockets API underpinning Cloudflare's edge Linux servers was not amenable to being configured to accept inbound connections on any port. The company's engineers could have used a bind system call on each of the 65535 server ports, but the technical consequences made that option unworkable.

Instead, the techs used Cloudflare's firewall to analyze IP packets and decide whether to keep them, in conjunction with the relatively obscure TPROXY iptables module to handle the socket dispatch for incoming packets.

"With its help we can perform things we thought impossible using the standard BSD sockets API, avoiding the need for any custom kernel patches," explained Cloudflare network engineer Marek Majkowski in a blog post. ®

More about


Send us news

Other stories you might like