Introduction
Custom Layer 4 rules are available to all customers with eligible services. These can be created from the Filtering page at the service level.
What are Layer 4 Rules?
Layer 4 rules operate at the transport layer of network traffic (TCP/UDP), allowing you to filter packets based on IP addresses, port numbers, packet characteristics, and connection properties. Unlike Layer 7 rules which inspect HTTP/HTTPS content, Layer 4 rules work with raw network packets and can be applied to any protocol.
Layer 4 rules are processed before traffic reaches your backend servers, providing efficient protection against attacks and unwanted traffic. These rules are ideal for:
- Blocking specific IP addresses or ranges
- Filtering traffic based on packet patterns using BPF expressions
- Rate limiting connections from specific sources
- Protecting against SYN floods and other network-layer attacks
- Whitelisting trusted networks
For simpler IP-based blocking and allowing, consider using ACL Rules which provide a straightforward whitelist/blacklist mechanism without the advanced matching options of Layer 4 rules.
How Rules Work
Rules are evaluated in the order they appear in your rule list. Each rule consists of:
- Match Conditions - Criteria that identify which packets the rule applies to
- Target Action - What to do with matching packets (e.g. DROP or TCP VERIFY)
- Hook - When to evaluate the rule (New Connection or All Traffic)
When a packet matches all conditions in a rule, the target action is applied. If a packet doesn't match, evaluation continues to the next rule.
Match Options
Match options define the criteria for selecting which packets your rule applies to. You can combine multiple match options in a single rule - all enabled conditions must match for the rule to trigger.
BPF Match Expression
Berkeley Packet Filter (BPF) expressions provide a powerful way to match specific packet characteristics. BPF is the same syntax used by tools like tcpdump on Linux/Unix systems.
How it works: BPF expressions are evaluated first, before other match conditions. They allow you to filter based on: - Protocol type (TCP, UDP, ICMP) - Port numbers (source or destination) - Packet flags (SYN, ACK, etc.) - Packet size - Header fields and values
Best Practices:
- Keep expressions as specific as possible for better performance
- Test expressions using tcpdump on your local machine first
- Avoid overly complex expressions that could impact performance
- Poorly designed rules consuming excessive resources may be removed by support staff
Example: tcp dst port 80 matches all TCP packets destined for port 80 (HTTP traffic).
See the BPF Cheatsheet section at the bottom for more examples.
IP List
IP lists allow you to match packets from specific source IP addresses or ranges.
Preset Lists: - Tor Exit Nodes - Automatically maintained list of known Tor network exit points - VPN & Server Networks - Common VPN providers and datacenter IP ranges
Custom Lists: You can provide your own list of IP addresses or CIDR ranges (one per line). For example:
1.2.3.4
10.0.0.0/24
192.168.1.0/24
Use IPv4 addresses only.
TCP
TCP-specific matching options allow you to filter based on TCP connection characteristics.
TCP MSS (Maximum Segment Size): Match TCP connections based on their Maximum Segment Size value. MSS defines the largest amount of data that can be received in a single TCP segment.
Specify a range (minimum and maximum) to match: - Lower bound - Minimum MSS value (e.g., 1400) - Upper bound - Maximum MSS value (e.g., 1460)
Use cases: - Detecting certain types of connections or clients - Identifying tunneled or encapsulated traffic - Filtering based on connection characteristics
Example: MSS between 1400-1460 would match most standard Ethernet connections.
Rate Limit
Rate limiting matches traffic that exceeds (or falls under) a specified rate threshold. This is useful for identifying abnormal traffic patterns or limiting resource consumption.
How it works: You define a maximum rate and burst size. The rule matches when traffic: - Exceeds the specified rate (useful for detecting floods) - Is under the specified rate (useful for whitelisting normal traffic)
Rate Units:
- packet/s - Packets per second
- bytes/s - Bytes per second
- kb/s - Kilobytes per second
- mb/s - Megabytes per second
Rate Calculation: Choose what to include in the rate calculation: - Source IP - Track rate per unique source IP address - Source Port - Track rate per source port - Destination Port - Track rate per destination port
Multiple options can be combined. For example, selecting "Source IP" and "Destination Port" tracks the rate of packets from each IP to each destination port separately. Selecting all three options (Source IP + Source Port + Destination Port) is equivalent to tracking per connection.
Burst: The burst value allows temporary spikes above the rate limit. For example, with a rate of 10 packet/s and burst of 20, up to 20 packets can arrive at once, but the sustained rate must stay at or below 10/s.
Example: Rate > 100 packet/s from Source IP would match sources sending more than 100 packets per second.
Region
Restrict the rule to only be evaluated in a specific geographic region. This is useful if you have services deployed in multiple regions and want different filtering rules in each location.
If enabled, select the region where this rule should apply. The rule will only be active on servers in that region.
Match On (Evaluation Hook)
The "Match On" setting determines when your rule is evaluated in the packet processing pipeline. This impacts both performance and what types of traffic can be filtered.
New Connection (Recommended)
The rule is evaluated only when a new connection is established. This is the most efficient option as it processes fewer packets.
When to use:
- Most filtering scenarios
- Blocking IP addresses or ranges
- Rate limiting new connections
- General DDoS protection
Limitations: - Only sees the initial connection packet(s) - Cannot match on specific packet types within an established connection
All Traffic
The rule is evaluated on every packet, including those in established connections.
When to use: - Filtering specific packet types (non-SYN TCP packets) - Complex BPF expressions that need to inspect individual packets - Matching on packet characteristics beyond connection establishment
Important Notes: - Available on Anycast services (not available on Budget services) - More resource-intensive than "New Connection" - Use only when "New Connection" is insufficient for your needs
Best Practice: Start with "New Connection" unless you have a specific need to inspect all packets.
Target Options
The target option determines what action is taken when a packet matches your rule's conditions.
DROP
Action: Immediately drop the matching packet without forwarding it to your backend server.
How it works: - Packet is silently discarded - No response is sent to the sender - Connection is prevented from being established - No further processing occurs for the dropped packet
When to use: - Blocking malicious traffic - Dropping packets from specific IP addresses - Preventing connections that match attack patterns - Filtering unwanted protocols or ports
Example: A rule matching BPF expression udp port 19 with target DROP would silently discard all UDP packets on port 19.
TCP VERIFY (TCP SYN Proxy)
Action: Verify that the TCP connection is legitimate by validating the TCP handshake before forwarding to your backend.
How it works: - Intercepts the initial TCP SYN packet - Completes the TCP handshake on behalf of your backend - Only forwards legitimate, validated connections to your server - Automatically filters spoofed IP addresses and SYN floods
Requirements: - Must be applied as an "All Traffic" rule (Match On: All Traffic) - Only works with TCP traffic - Available on Anycast services
When to use: - Protecting against SYN flood attacks - Filtering spoofed source IP addresses - Verifying TCP connections before they reach your backend - Adding an extra layer of protection for critical services
Important: TCP VERIFY does not increase latency. However, TCP VERIFY may decrease client compatibility, particularly with legacy or basic TCP stacks. TCP VERIFY may also decrease the maximum achievable speed possible over the TCP stream due to reduced window size.
Common Use Cases
Below are examples demonstrating how to use Layer 4 rules to solve common filtering needs.
Example 1: Block Specific Country or Network
Goal: Drop all traffic from Tor exit nodes
Configuration: - IP List: Enable, select "Preset: Tor Exit Nodes" - Target: DROP - Match On: New Connection
Result: All connection attempts from Tor network exit points are blocked.
Example 2: Block a Specific IP Range
Goal: Prevent connections from a specific subnet that's sending malicious traffic
Configuration:
- IP List: Enable, select "Custom Set", enter:
192.0.2.0/24
- Target: DROP
- Match On: New Connection
Result: All traffic from IPs in the 192.0.2.0/24 range is dropped.
Example 3: Rate Limit DNS Queries
Goal: Limit DNS query rate to prevent DNS amplification attacks
Configuration:
- BPF Match: udp port 53
- Rate Limit: Enable
- Criteria: > 100 packet/s + 200 burst
- Include: Source IP
- Target: DROP
- Match On: New Connection
Result: Sources sending more than 100 DNS queries per second (with burst allowance of 200) are blocked.
Example 4: Filter Small UDP Packets
Goal: Drop UDP packets smaller than 100 bytes (common in certain attacks)
Configuration:
- BPF Match: udp and less 100
- Target: DROP
- Match On: All Traffic
Result: UDP packets under 100 bytes are dropped.
Example 5: Protect Against SYN Floods
Goal: Verify all TCP connections to prevent SYN flood attacks
Configuration:
- BPF Match: tcp
- Target: TCP VERIFY
- Match On: All Traffic
Result: All TCP connections are verified using SYN proxy, blocking spoofed sources and SYN floods.
Example 6: Block Non-Standard MSS
Goal: Drop connections with suspicious TCP MSS values (possible indication of certain attack tools)
Configuration: - TCP: Enable - MSS: 1 - 500 (unusually small MSS) - Target: DROP - Match On: New Connection
Result: TCP connections with MSS between 1-500 are dropped.
Example 7: Allow Only Specific Ports
Goal: Drop all traffic except for ports 80 (HTTP) and 443 (HTTPS)
First create a rule to block all traffic, then create rules above it to allow specific ports.
Rule 1 (place this lower in the list):
- BPF Match: tcp or udp
- Target: DROP
- Match On: New Connection
Rules to add above Rule 1: Create separate whitelisting rules for allowed ports at your application level, or use Layer 7 rules for HTTP/HTTPS filtering.
Note: For HTTP/HTTPS traffic, Layer 7 rules on port 80/443 provide more sophisticated filtering options.
Network Filtering Terminology
Understanding these terms will help you create effective filtering rules:
Layer 4 - The transport layer of the OSI network model, dealing with TCP and UDP protocols. Layer 4 operates on ports, connections, and packet headers (not content).
Layer 7 - The application layer, dealing with HTTP/HTTPS content, headers, and request details. See Layer 7 Rules for HTTP/HTTPS filtering.
TCP (Transmission Control Protocol) - A connection-oriented protocol that ensures reliable delivery of data. Used by HTTP, HTTPS, SSH, and many other services.
UDP (User Datagram Protocol) - A connectionless protocol that sends packets without guaranteed delivery. Used by DNS, gaming, VoIP, and streaming.
Source IP - The IP address of the computer sending the packet.
Destination Port - The port number the packet is being sent to on your server (e.g., 80 for HTTP, 443 for HTTPS).
Source Port - The port number on the sender's computer. Usually randomly assigned for outgoing connections.
CIDR Notation - A way to specify IP address ranges. For example, 192.168.1.0/24 represents all IPs from 192.168.1.0 to 192.168.1.255.
MSS (Maximum Segment Size) - The largest amount of data that can be sent in a single TCP segment. Typically 1460 bytes for standard Ethernet.
SYN Flood - A type of DDoS attack that exploits the TCP handshake process by sending many SYN packets without completing the connection.
Spoofed IP - A packet with a fake source IP address, often used in DDoS attacks to hide the attacker's identity.
BPF (Berkeley Packet Filter) - A technology for filtering network packets based on their characteristics. BPF expressions use a simple language to match packets.
Rate Limiting - Restricting the number of packets or bytes processed within a time period. Helps prevent abuse and resource exhaustion.
Burst - A temporary spike in traffic allowed above the sustained rate limit.
BPF Cheatsheet
| Expression | Match |
|---|---|
| tcp or udp | TCP or UDP |
| tcp dst port 80 | TCP port 80 (HTTP) |
| udp port 53 | UDP with either src or dst port being 53 (DNS) |
| tcp[tcpflags]==(tcp-syn) | TCP SYN |
| tcp[tcpflags]==(tcp-syn|tcp-ack) | TCP SYN-ACK |
| src host 1.1.1.1 | incoming packet from 1.1.1.1 |
| src net 1.1.1.0/24 | incoming packet from 1.1.1.0/24 |
| tcp src portrange 0-1023 | TCP priveledged ports, i.e 0-1023 |
| udp[8:4]==0x53414D50 and (udp[18:1]==0x70 or udp[18:1]==0x69 or udp[18:1]==0x63) | Specific UDP packet |
| gt 1000 | IP Packet Length > 1000 bytes |
| less 1000 | IP Packet Length < 1000 bytes |
| ip[0] & 0xf !=5 | IP packets with options |
| udp[4:2]==0 | UDP payload length of 0 |
