< ciso
brief />
Tag Banner

All news with #cloudflare tag

318 articles · page 11 of 16

Hunting BGP Zombies: Causes, Effects, and Mitigations

🧟 Cloudflare details 'BGP zombies' — routes that remain in the Default-Free Zone after a withdrawal due to path hunting, delayed processing, or MRAI timers. Through experiments and BYOIP on-demand tests, they show how more-specific withdrawals can trigger loops and long-lived reachability issues, often worse on IPv4. Cloudflare proposes graceful draining, a multi-step BYOIP failover using same-length native announcements, and vendor adoption of RFC9687 to reduce impact.
read more →

Go clients, HTTP/2 PING floods, and ENHANCE_YOUR_CALM

🔍 This post investigates why Cloudflare returned ENHANCE_YOUR_CALM for internal HTTP/2 traffic and traces the issue to an easy-to-make Go client behavior. An incorrect pattern where a response is closed without being fully read caused the Go HTTP/2 library to emit RST_STREAM and PING frames in quick succession, triggering PING-flood mitigations. The fix: always drain response bodies (for example, io.Copy(io.Discard, resp.Body)) before calling Close().
read more →

Policy, Privacy, and Post-Quantum Anonymous Credentials

🔒 Lena Heimberger examines the challenge of building post-quantum Anonymous Credentials that are practical for large-scale use. The post summarizes real-world needs — from the EU digital identity wallet to Cloudflare’s Privacy Pass rate-limiting — and defines key requirements like unlinkability, unforgeability, round-optimality, and per-origin rate limits. It surveys PQ approaches (generic ZKP composition, lattice-based signatures, hash-and-sign with aborts, and MPC-in-the-head/VOLEitH), evaluates trade-offs in bandwidth and latency, and calls for standardized ZK-friendly hashes and PQ-native protocol designs.
read more →

Anonymous Credentials for Privacy-preserving Rate Limiting

🔐 Cloudflare presents a privacy-first approach to rate-limiting AI agents using anonymous credentials. The post explains how schemes such as ARC and ACT extend the Privacy Pass model by enabling late origin-binding, multi-show tokens, and stateful counters so origins can enforce limits or revoke abusive actors without identifying users. It outlines the cryptographic building blocks—algebraic MACs and zero-knowledge proofs—compares performance against Blind RSA and VOPRF, and demonstrates an MCP-integrated demo showing issuance and redemption flows for agent tooling.
read more →

Amazon Bedrock AgentCore Browser Adds Web Bot Auth Preview

🔐 Amazon Bedrock AgentCore Browser now previews Web Bot Auth, a draft IETF protocol that cryptographically identifies AI agents to websites. The feature automatically generates credentials, signs HTTP requests with private keys, and registers verified agent identities to reduce CAPTCHA interruptions and human intervention in automated workflows. It streamlines verification across major providers such as Akamai, Cloudflare, and HUMAN Security, and is available in nine AWS Regions on a consumption-based pricing model with no upfront costs.
read more →

Measuring TCP Connection Characteristics at Scale Globally

📊 Cloudflare shares aggregate measurements of TCP connections observed across its global CDN from a uniformly sampled 1% snapshot (Oct 7–15, 2025). The dataset records socket-level metadata via TCP_INFO, SNI, and request counts, limited to gracefully closed connections with at least one HTTP request. Results highlight strong heavy-tailed behavior: most connections are short and small while a minority carry massive volumes, and HTTP/2 shows higher reuse and larger responses than HTTP/1.x.
read more →

How We Escaped the Linux Networking Stack for Soft-Unicast

🐟 Cloudflare describes building "fish" (SLATFATF), a service to egress packets using soft-unicast address space and the challenges encountered with the Linux networking stack. They found that conntrack and Netfilter interactions can silently rewrite source ports and break connections, so they evaluated several approaches including Netlink manipulation, TCP_FASTOPEN_CONNECT sockets, and routing fixes. Ultimately they preferred terminating and proxying TCP locally to avoid fragile kernel workarounds, after testing that disabling early demux produced only modest CPU effects.
read more →

Detecting CGNAT to Reduce Collateral Damage Globally

🔎Cloudflare describes a supervised approach to detect large-scale IP sharing — especially CGNAT — to reduce collateral damage from IP-based security controls. They build labeled training data using distributed traceroutes (RIPE Atlas), PTR/WHOIS scraping, and lists of known VPN/proxy exit IPs, then extract per-IP and per-/24 behavioral features. An XGBoost model trained on these features achieves high accuracy, enabling operators to tune rate limits and blocklists with less harm to innocent users, particularly in regions with heavy IP sharing.
read more →

Building a High-Performance VPN with Linux for WARP

🛡️ Cloudflare explains how it initially implemented WARP as a Layer‑3 VPN by leveraging the Linux networking stack to egress arbitrary user packets from edge machines. They used a TUN device, nftables/Netfilter rules and the conntrack module to perform NAT, mark flows, and distinguish client traffic from locally‑originated traffic. Core tunnel handling was written in Rust (boringtun/WireGuard) and paired with MASQUE and defense‑in‑depth controls. The approach worked but required one IPv4 address per server, creating a scalability and cost challenge that led them to explore IP sharing.
read more →

Defending QUIC Against Acknowledgement-Based DDoS Attacks

🔒 Cloudflare patched two QUIC ACK-handling vulnerabilities (CVE-2025-4820, CVE-2025-4821) affecting its open-source quiche library and services using it. The flaws—missing ACK range validation and an Optimistic ACK attack—could let a malicious peer inflate server send rates, driving CPU and network amplification. Cloudflare implemented ACK range enforcement and a dynamic, CWND-aware skip frequency; quiche versions prior to 0.24.4 were affected.
read more →

Protecting Moldova’s 2025 Parliamentary Election Online

🛡️ Cloudflare assisted the Moldovan Central Election Commission (CEC) during the September 28, 2025 parliamentary vote, rapidly onboarding election sites and deploying mitigations under the Athenian Project. On election day Cloudflare mitigated over 898 million malicious requests across multiple DDoS waves, including a peak of 324,333 rps, keeping official result reporting and civic sites online. Automated defenses and coordination with STISC ensured no interruptions to public access and authoritative information.
read more →

Major Milestone: Majority of Human Traffic Uses PQ TLS

🔒 Cloudflare reports that, as of late October 2025, the majority of human-initiated traffic through its network is protected with post‑quantum key agreement, reducing the risk of harvest‑now/decrypt‑later attacks. The post summarizes progress since the last update 21 months earlier: NIST standardization, broad adoption of ML‑KEM hybrids, Google's Willow milestone, and Craig Gidney's optimizations that materially moved Q‑day closer. It explains why migrating key agreement was urgent and relatively straightforward, why signature/certificate migration remains the harder challenge, and what organizations and regulators should prioritize now.
read more →

Merkle Tree Certificates pilot by Cloudflare and Chrome

🔐 Cloudflare is collaborating with Chrome to experimentally deploy Merkle Tree Certificates (MTCs) to reduce the number of public keys and large post-quantum signatures transmitted during TLS handshakes. MTCs batch certificates into a Merkle tree with a single signed treehead and per-certificate inclusion proofs, dramatically shrinking handshake size and CPU work. The experiment will roll out to a subset of Cloudflare free customers while Chrome distributes validation landmarks and fallbacks to preserve existing trust.
read more →

Cloudflare Workers: Automatic tracing now in open beta

🔍 Cloudflare announces an Open Beta for Workers tracing that provides automatic, out-of-the-box instrumentation with no code changes. Traces are visible in the Workers Observability dashboard alongside logs, and spans include timing, attributes, and error context. You can export OTLP-formatted traces and correlated logs to third-party providers like Honeycomb or Grafana. Enable tracing via wrangler.jsonc or the Cloudflare dashboard and join the beta to provide feedback.
read more →

Challenges and Best Practices in Internet Measurement

📊 Cloudflare explains why measuring the Internet is uniquely difficult and how rigorous methodology, ethics, and clear representation make findings reliable. An internal February 2022 Lviv traffic spike illustrates how context and complementary data can prevent misclassification of benign events as attacks. The post contrasts active and passive techniques and direct versus indirect measurement, outlines a lifecycle of curation, modeling, and validation, and stresses low-impact, ethical approaches. It concludes by inviting collaboration and continued exploration of passive measurement methods.
read more →

Cloudflare Speed Test: Measuring Real-World Internet Quality

⚡ Cloudflare’s Speed Test measures the quality users actually experience rather than peak bandwidth. It sends predefined data blocks via the Network Quality API from the user’s browser to Cloudflare Workers routed by anycast, recording idle and loaded latency, jitter, packet loss, and throughput across sizes. Results appear live and culminate in an AIM score summarizing suitability for streaming, gaming, or conferencing.
read more →

Introducing TLD Insights on Cloudflare Radar Dashboard

📊 Cloudflare Radar now offers a dedicated Top-Level Domain (TLD) landing page and per-TLD reports that aggregate popularity, activity, and security signals. The new pages rank TLDs using a DNS Magnitude score based on unique client networks querying 1.1.1.1, and provide DNS, RDAP/WHOIS, Certificate Transparency, and registration information where available. Interactive charts, maps, and API access help TLD managers and site owners monitor visibility, abuse trends, and certificate issuance.
read more →

Cloudflare Radar's Evolution: Expanding Internet Observability

📡 Since its 2020 debut, Cloudflare Radar has evolved into a comprehensive observability platform that aggregates Cloudflare telemetry to illuminate security, performance, and usage trends. Initially centered on Radar Internet Insights, Domain Insights, and IP Insights, the service has grown to include Certificate Transparency metrics, TCP reset/timeouts visibility, post-quantum adoption tracking, and AI-focused crawler analytics. Radar also added routing tools such as route leak and origin hijack detection, real-time BGP views, AS-SET monitoring, and notifications, while improving programmatic access via the Radar API and an MCP server for LLM integration. Popular utilities like the URL Scanner, expanded search and date-range options, and internationalized interfaces reinforce Radar's mission to make the Internet more observable and resilient.
read more →

Working with Passive Data at Internet Scale: Challenges

🔍 During a 2022 internship at Cloudflare, Ram Sundara Raman examined whether connection tampering by network middleboxes can be detected using only passive production data. He sampled one in 10,000 TCP connections and logged the first ten inbound packets, then developed 19 tampering signatures while confronting scale, noisy telemetry, and limited ground truth. The work exposed practical limits of passive observation and the care required to interpret packet-level signals, and its outputs are published on Cloudflare Radar.
read more →

Internet Measurement, Resilience and Transparency Week

📡 This week Cloudflare Research publishes a series of posts revealing methods and findings that advance a more measurable, resilient, and transparent Internet. The series explores Internet measurement fundamentals, resilience frameworks, post-quantum deployment, and networking innovations, with deep dives into products such as Cloudflare Radar and experiments like Merkle Tree Certificates. Expect practical analysis, IETF-aligned protocol discussion, and real-world deployment considerations.
read more →