Cloudflare Blog
https://blog.cloudflare.com/Why it matters: This report highlights the escalating scale and sophistication of DDoS attacks, exemplified by the Aisuru botnet. Engineers must prioritize robust, autonomous defense systems to protect critical infrastructure and services from increasingly powerful and short-lived threats.
- •The Aisuru botnet dominated Q3 2025, launching hyper-volumetric DDoS attacks up to 29.7 Tbps and 14.1 Bpps, causing significant internet disruption.
- •Cloudflare mitigated 8.3 million DDoS attacks in Q3 2025, a 15% QoQ and 40% YoY increase, with network-layer attacks surging 87% QoQ.
- •DDoS attacks against AI companies increased by 347% MoM in September, while attacks on Mining/Metals and Automotive sectors also rose due to geopolitical tensions.
- •The majority of DDoS attacks are short-lived (under 10 minutes), emphasizing the need for autonomous, real-time mitigation systems.
- •Aisuru, available as a botnet-for-hire, targeted critical infrastructure, telecommunications, gaming, and financial services, demonstrating its disruptive potential.
Why it matters: Replicate's acquisition by Cloudflare signifies a major step towards building a comprehensive, integrated AI infrastructure. It promises to simplify the deployment and scaling of complex AI applications by combining model serving with a global network and full-stack primitives.
- •Replicate, founded in 2019, aimed to democratize access to research-grade ML models by abstracting away infrastructure complexities.
- •They developed Cog for model packaging and the Replicate platform for running models as cloud API endpoints, successfully scaling with models like Stable Diffusion.
- •The modern AI stack has evolved beyond just model inference, requiring a full suite of services like microservices, storage, and databases.
- •Replicate is joining Cloudflare to leverage Cloudflare's extensive network, Workers, R2, and other primitives to build a complete, integrated AI infrastructure layer.
- •This acquisition will enable faster edge models, model pipelines on Workers, and streaming model I/O, realizing a vision where "the network is the computer" for AI.
Why it matters: Engineers can leverage FLUX.2 on Workers AI for highly consistent, photorealistic image generation, solving challenges like stochastic drift. Its advanced controls and multi-reference editing enable robust AI-powered applications for marketing, e-commerce, and creative content.
- •FLUX.2 [dev], a new open-weight image generation model from Black Forest Labs, is now available on Cloudflare Workers AI.
- •It offers enhanced photorealism, physical world grounding, and supports advanced customization like JSON prompting and multipart form data for multiple image inputs.
- •A key feature is its ability to maintain character and product consistency across multiple generations, addressing "stochastic drift" through multi-reference editing.
- •FLUX.2 is designed for functional business use cases, enabling consistent ad variations, reliable product shots, and dynamic editorial content.
- •It supports granular controls including JSON prompting, HEX codes, and multi-language input for highly specific image generation.
Why it matters: Engineers can now precisely debug WAF false positives and fine-tune security rules by understanding exactly which request fields trigger actions. This improves application security posture and reduces operational overhead from misconfigured WAFs.
- •Cloudflare's WAF protects against layer 7 attacks using various rulesets, but fine-tuning is necessary due to inevitable false positives.
- •Traditional WAF logging only indicates if a rule matched, failing to specify which part of a complex request or rule expression triggered the action.
- •Ambiguity arises from logical OR expressions, data transformations (e.g., Base64, URL decoding), cumulative scoring rulesets, and private rule logic.
- •Payload logging solves this by detailing the exact fields and their post-transformation values that caused a WAF rule to match.
- •This feature significantly enhances visibility, simplifies false positive identification, ensures rule correctness, and improves WAF fine-tuning.
- •Payload logging leverages the Wirefilter engine, re-evaluating the Rulesets Engine's execution context with a dedicated PayloadLoggingCompiler to pinpoint matching elements.
Why it matters: This incident highlights the critical importance of robust change management, configuration validation, and effective incident response in large-scale distributed systems. It underscores how seemingly minor changes can cascade into widespread failures.
- •Cloudflare experienced a significant outage due to a database permission change that generated an oversized "feature file" for its Bot Management system.
- •The excessively large feature file, propagated across the network, caused routing software to fail as it exceeded an internal size limit.
- •Initial incident response was complicated by fluctuating system failures, leading to a temporary misdiagnosis of a DDoS attack.
- •Resolution involved halting the propagation of the bad configuration, manually inserting a known good file, and restarting the core proxy.
- •The outage impacted core CDN, security services, Workers KV, Turnstile, and Access, manifesting as widespread HTTP 5xx errors and increased latency.
Why it matters: This acquisition significantly enhances Cloudflare's AI capabilities, offering developers a vast model catalog and simplified deployment on a global, high-performance edge network. It streamlines AI application development, making advanced models more accessible and efficient for engineers.
- •Replicate, a leading AI model platform, is joining Cloudflare to integrate its services into Cloudflare's Developer Platform.
- •This acquisition significantly expands Cloudflare's Workers AI model catalog, enabling users to run fine-tuned and custom models directly on the platform.
- •Replicate's platform simplifies AI model deployment by abstracting complex infrastructure, utilizing its open-source tool Cog for containerization.
- •Cloudflare's 'AI Cloud' provides serverless GPU inference at the edge (Workers AI), a control plane (AI Gateway), data storage (Vectorize, R2), and orchestration tools.
- •The combined entity will offer a comprehensive selection of over 50,000 models from Replicate's catalog, runnable on Cloudflare's global, high-performance network.
Why it matters: This article is crucial for SREs and infrastructure engineers dealing with large-scale configuration management. It demonstrates how to build systems that automate root cause analysis for CM failures, significantly reducing release delays and operational toil.
- •Cloudflare tackled the challenge of quickly identifying root causes for Salt configuration management failures across thousands of servers with high change volumes.
- •Salt, a CM tool, employs a master/minion architecture and declarative state system to manage large fleets and ensure consistent configurations.
- •Cloudflare's deployment pipeline for Salt changes incorporates blast radius protection and guardrails, designed to "fail safe" by halting deployments upon configuration failure.
- •While preventing customer impact, these halts necessitate human intervention for root cause analysis, leading to significant SRE toil and release delays.
- •A new architectural solution enables self-service root cause identification by correlating Salt failures with git commits, external services, and ad hoc releases.
- •This system has successfully reduced software release delays by over 5% and minimized repetitive triage for SRE teams.
Why it matters: This feature significantly enhances local development for Cloudflare Workers, allowing engineers to test against real production data and services without deploying. It streamlines workflows, accelerates iteration, and ensures higher confidence in code changes before deployment.
- •Cloudflare's remote bindings enable local Worker development to connect directly to deployed production resources like R2 and D1, eliminating the need for full deployments during testing.
- •This feature significantly enhances the developer experience by allowing engineers to test local code changes against real data and services, accelerating iteration speed and improving confidence.
- •The new approach unifies the development workflow, replacing the older `wrangler dev --remote` mode with a per-binding `remote: true` option within the standard local development environment.
- •Architecturally, remote bindings leverage Cloudflare's existing production binding mechanisms, treating them as service bindings rather than creating new API wrappers.
- •This design avoids the complexity of replicating entire binding API surfaces and ensures compatibility with operations that lack direct HTTP API equivalents, streamlining implementation and maintenance.
Why it matters: This enables Python developers to build robust, long-running, multi-step applications on Cloudflare Workflows, simplifying complex orchestrations for AI/ML, data pipelines, and task automation. It leverages Python's ecosystem and Cloudflare's durable execution.
- •Cloudflare Workflows now support Python, enabling developers to orchestrate long-running, multi-step applications using their preferred language, addressing previous TypeScript-only limitations.
- •This expands Cloudflare's Python support, building on earlier integrations like CPython and Pyodide packages in Workers.
- •Python Workflows are ideal for automating complex processes such as LLM training, data pipelines, and AI agent development, simplifying architecture and improving reliability.
- •The implementation leverages Cloudflare Workers' direct Python runtime support and Pyodide's Foreign Function Interface for seamless interoperability with JavaScript-based durable execution APIs.
- •Workflows provide built-in error handling, retry behavior, and state persistence, crucial for idempotent operations.
Why it matters: This matters because it automates a complex, insecure, and time-consuming BYOIP onboarding process using RPKI, significantly improving routing security and operational efficiency for engineers managing IP address space in the cloud. It offers greater control and faster deployment.
- •Cloudflare introduced a self-serve BYOIP API, automating the 4-6 week manual process for customers to onboard IP prefixes.
- •The new system leverages Resource Public Key Infrastructure (RPKI) for robust routing security and automated ownership validation, replacing manual LOA reviews.
- •Self-serve generates LOAs on customers' behalf, ensuring route acceptance and enhancing security through RPKI ROA and IRR/rDNS checks.
- •Initial scope is limited to BYOIP prefixes from Cloudflare's AS 13335, utilizing widely available Route Origin Authorization (ROA) objects.
- •This advancement provides customers with greater control and configurability over their IP space, improving IP address management on Cloudflare's network.