Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Web Optimizations China Network
Video Streaming & Delivery
Cloudflare Stream Stream Delivery
Advanced Security
DDoS Protection WAF Rate Limiting SSL / TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Insights
Analytics Cloudflare Logs
Cloudflare for Developers
Cloudflare Workers Cloudflare Workers KV BETA Mobile SDK
Domain Registration
Cloudflare Registrar
Cloudflare Marketplace
Cloudflare Apps
Cloudflare for Everyone
1.1.1.1
Performance
Accelerate Internet Applications Accelerate Mobile Experiences Ensure Application Availability
Security
Mitigate DDoS Attacks Prevent Customer Data Breaches Stop Malicious Bot Abuse
Industries
SaaS eCommerce Publishers Public Sector
Partnerships
Partner Program Hosting Provider Referral Reseller / MSP OEM / Technology Workers Partner Program Peering Portal Bandwidth Alliance
Integrations
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes WP Engine
Develop
API Guide Developer Hub Developer Fund Documentation
Explore
Case Studies Cloudflare in China Network Map Webinars Product Updates White Papers GDPR
Learn
DDoS Learning Center CDN Learning Center DNS Learning Center Security Learning Center Performance Learning Center Serverless Learning Center SSL Learning Center
Connect
Blog Contact Sales Community Support
Contact

Cloudflare Spectrum | TCP Security

Open the power of Cloudflare to the entire Internet

If you run TCP services on your origin, not just web-servers, but also gaming services, remote server access (SSH), or email (SMTP), they are exposed through open ports.

This means malicious attackers can send volumetric DDoS traffic or attempt to snoop sensitive, unencrypted data.

With Spectrum, you can extend the power of Cloudflare's DDoS, TLS, and IP Firewall to not just your web servers, but also your other TCP-based services, keeping them online and secure.

Contact Sales
"Before Spectrum, we had to rely on unstable services & techniques that increased latency, worsening user's experience. Now, we're able to be continually protected without added latency, which makes it the best option for any latency & uptime sensitive service such as online gaming."
Bruce Blair
Chief Technology Officer

Challenges Protecting TCP Traffic and Ports

Your origin infrastructure is exposed when delivering TCP services such as: custom gaming protocols, remote server access (SSH), secure file transfer services (SFTP), and email (SMTP).

Attackers can directly send volumetric DDoS traffic to those services, degrading web performance or bringing them down entirely. Attackers can also snoop unencrypted traffic on those ports to steal confidential data or credentials.

Cloudflare Spectrum

Spectrum extends the power of Cloudflare to protect not just your web traffic, but your other TCP ports and protocols from layer 3 and 4 DDoS. By enabling TLS encryption, Spectrum reduces the ability for attackers to snoop and steal sensitive data.

Bad IP addresses can be blocked through integration with Cloudflare’s IP Firewall. Now you can protect your origin and all TCP services you expose to the Internet.

DDoS Protection for TCP Services

When you run Internet-facing services, such as email, remote access to servers, gaming networks, or secure file transfer, you've exposed your origin infrastructure to direct DDoS through those open ports.

Cloudflare’s Spectrum ensures all your TCP services are protected against Layer 3 and 4 DDoS attacks, remaining online and performant.

Secure TCP traffic with TLS

If your non-web TCP services include unencrypted sensitive information, your sensitive data is vulnerable to snooping.

Spectrum encrypts services running on TCP to prevent unencrypted data, such as user credentials, from falling into the wrong hands.

IP Address & Range Blocking

Spectrum integrates with Cloudflare’s IP Firewall, allowing you to block or challenge IP addresses or entire IP ranges from reaching your TCP services.

Easy Configuration in Dashboard or API

Spectrum gives control and flexibility with easy configuration on a per-application basis within the Cloudflare dashboard or API.

Configuration options for Spectrum include:

  • Domain or Subdomain

  • Edge Port

  • Origin IP / Port for Service

  • Edge Port Specification

  • TLS (Flexible/Off)

  • IP Firewall (I/O)

  • PROXY Protocol (I/O)

"We were looking for a security solution to protect additional services like email and ssh so that if we are subject to attack, our operations can continue to run reliably and securely. We are happy to see Cloudflare launch Spectrum."
Paul Abramson
Director of Technology

Key Features

Proxy non-HTTP/S TCP traffic through Cloudflare

Configurable on a per-application basis

Whitelist or blacklist IP addresses

Supports any proprietary TCP protocol

Flexible and Full TLS

“Always On” Layer 3 and 4 DDoS Protection

Real-time application-specific analytics

Allow TLS passthrough traffic

Easy setup through dashboard UI or API

Supports multiple ports for an application's hostname

Load balance layer 4 traffic across multiple origins

Layer 4 health checks

Supports multiple ports on the same hostname or application

Cloudflare Enterprise users can enable Spectrum today

To start using Spectrum, you'll need to be subscribed to a Cloudflare Enterprise plan. By enabling Spectrum, you’ll receive encryption and unmetered mitigation of volumetric DDoS attacks for non-web TCP protocols and ports.

Contact Sales

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.