Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogOct 31, 2025

Go and enhance your calm: demolishing an HTTP/2 interop problem

Why it matters: This article highlights how subtle misconfigurations in standard libraries (like Go's HTTP/2 client) can lead to critical interop issues and trigger network defenses, emphasizing the need for deep understanding of protocol implementations.

HTTP/2 misconfigurations can lead to denial-of-service attacks like PING floods, triggering defenses such as Cloudflare's ENHANCE_YOUR_CALM GOAWAY frame.
An internal microservice communication issue was traced to a Go standard library HTTP/2 client sending excessive PINGs, causing connection closures.
The problem stemmed from a subtle interaction between Go's http.Transport PingTimeout and ReadIdleTimeout settings, leading to continuous PINGs.
Debugging required "on the wire" analysis using packet captures or GODEBUG=http2debug=2 logging to identify the client's actual behavior.
Proper configuration, ensuring PingTimeout is longer than ReadIdleTimeout or disabled when ReadIdleTimeout handles liveness, is crucial to prevent such HTTP/2 PING floods.

#sre #dist #security

Read original

Cloudflare BlogOct 30, 2025

Beyond IP lists: a registry format for bots and agents

Why it matters: This matters because it provides a scalable, trustworthy method for authenticating bots and agents, crucial for securing web infrastructure and enabling new agentic applications. It moves beyond unreliable IP lists, enhancing security and operational control for website operators.

A new registry format is proposed for bots and agents to enable easy discovery of public keys for cryptographically signed requests.
This format expands on the Web Bot Auth protocol, moving beyond brittle IP-based identification to more trustworthy cryptographic authentication.
The registry will consist of URLs pointing to agent keys, allowing website operators to verify bot identities at scale.
It aims to create an open ecosystem where anyone can curate and host lists of known signature agents.
A complementary "signature-agent card" format is also introduced to provide essential metadata about agents, such as contact details and operational characteristics.

#security #dist

Read original

Cloudflare BlogOct 30, 2025

Anonymous credentials: rate-limiting bots and agents without compromising privacy

Why it matters: As AI agents reshape web interactions, engineers need privacy-preserving security solutions. Anonymous credentials offer a critical mechanism to manage agent traffic, prevent abuse, and ensure fair access without compromising user data, crucial for the evolving AI-driven internet.

The rise of AI agents is rapidly changing web traffic patterns, necessitating new security approaches beyond traditional bot defenses.
Existing coarse-grained bot detection methods risk inadvertently blocking legitimate users when applied to shared AI agent platforms.
Anonymous credentials (AC) are proposed as a privacy-preserving solution for rate-limiting and blocking malicious agents without user identification or tracking.
AC allows website operators to enforce fine-grained security policies while maintaining user privacy, crucial for the evolving web.
The IETF is developing anonymous credentials as a standard, with Cloudflare actively contributing to its real-world deployment.
A practical example demonstrates building an AI agent using Cloudflare Workers, Workers AI, and Browser Rendering with Stagehand to illustrate agent interactions.

#security #dist #mlp

Read original

Cloudflare BlogOct 30, 2025

Policy, privacy and post-quantum: anonymous credentials for everyone

Why it matters: This article is crucial for engineers working on security, privacy, and identity systems. It highlights the urgent need to integrate post-quantum cryptography into Anonymous Credentials to protect against future quantum attacks and ensure privacy in digital identity solutions.

The internet is migrating to post-quantum (PQ) cryptography, a complex transition requiring new, higher-cost algorithms like ML-KEM and ML-DSA, not simple drop-in replacements.
Anonymous Credentials (ACs) are vital for privacy, enabling attribute proof without over-sharing, but current AC schemes are vulnerable to quantum attacks.
Digital identity systems, like the EU wallet, need robust unlinkability for privacy; PQ-safe ACs offer a cryptographic solution superior to organizational policies.
The "store-now/harvest-later" threat necessitates urgent development of PQ-safe ACs to ensure their long-term viability and prevent obsolescence upon mass adoption.
While PQ TLS migration progresses, ACs present a greater challenge, demanding efficient PQ replacements or significant re-engineering for scale and privacy.

#security #dist #data

Read original

Cloudflare BlogOct 29, 2025

Defending QUIC from acknowledgement-based DDoS attacks

Why it matters: This article highlights critical DDoS vulnerabilities in QUIC's ACK handling, emphasizing the importance of robust validation in transport protocols for network fairness and security. Engineers gain insight into preventing sophisticated amplification attacks.

Cloudflare's open-source QUIC implementation, quiche, was found to have two DDoS vulnerabilities (CVE-2025-4820, CVE-2025-4821) related to ACK handling.
These vulnerabilities included a lack of ACK range validation and susceptibility to 'Optimistic ACK' attacks, allowing an attacker to artificially expand an endpoint's send rate.
Exploiting these flaws could lead to DDoS attacks by increasing server CPU utilization and amplifying network traffic.
Cloudflare promptly patched the affected infrastructure; quiche versions prior to 0.24.4 were vulnerable, though no evidence of exploitation was found.
The mitigation for Optimistic ACK attacks involves a dynamic, CWND-aware skip frequency that scales with a connection’s send rate.
Robust ACK validation is crucial for Internet protocols like QUIC to ensure fair network usage, prevent subversion of congestion control signals, and maintain performance.

#security #dist

Read original

Cloudflare BlogOct 29, 2025

How to build your own VPN, or: the history of WARP

Why it matters: This article details how Cloudflare built a high-performance VPN using Linux networking, offering practical insights into NAT, Netfilter, and conntrack for engineers developing secure, scalable network solutions.

Cloudflare's WARP app required building a high-performance, mobile-first VPN solution for secure packet egress from edge machines.
The initial WARP implementation functioned as a Layer 3 VPN, encapsulating private IP packets within public ones for secure tunneling.
Linux's Netfilter subsystem, configured via nftables, was used to implement Network Address Translation (NAT) for routing VPN client traffic.
A key aspect involved setting up source NAT rules to rewrite client IP addresses to the server's public IP for outgoing packets.
The conntrack module in Linux Netfilter is crucial for stateful NAT, managing TCP/UDP connections and port reuse efficiently.

#dist #security #mobile

Read original

Cloudflare BlogOct 29, 2025

Measuring characteristics of TCP connections at Internet scale

Why it matters: Understanding global TCP connection characteristics is crucial for accurate network simulations, allowing engineers to test new protocols and algorithms safely before live deployment and predict their impact.

Measuring global TCP connection characteristics is challenging due to scale and access limitations, making empirical insights scarce.
Cloudflare shares aggregate insights into TCP connection characteristics from its global CDN, covering approximately 70% of HTTP requests.
This data is vital for network simulations, enabling engineers to predict the impact of new protocols or algorithms without risky live deployments.
The dataset is a 1% uniform sample of visitor-to-Cloudflare TCP connections, collected at client-facing servers to ensure diversity and mitigate bias.
It includes socket-level metadata (TCP_INFO), SNI, and request counts for gracefully closed connections with at least one successful HTTP request.
The analysis uses Empirical Cumulative Distribution Functions (CDFs) to visualize large-scale, consistent patterns in connection duration, packets, and requests.

#dist #data

Read original

Cloudflare BlogOct 29, 2025

One IP address, many users: detecting CGNAT to reduce collateral effects

Why it matters: Engineers must understand that IP addresses no longer reliably identify single users due to CGNAT. Failing to detect large-scale IP sharing can lead to unintended collateral damage, disproportionately affecting users in developing regions and causing significant operational and security issues.

Traditional IP-based security mechanisms (blocklists, rate-limiting) assume a single IP represents a single user, an assumption no longer valid due to widespread CGNAT, VPNs, and proxies.
Carrier-Grade NAT (CGNAT) allows ISPs to share a single IPv4 address among hundreds or thousands of users, primarily driven by IPv4 address exhaustion, especially in developing regions.
This large-scale IP sharing creates significant collateral damage, leading to socioeconomic bias where security actions disproportionately affect users in regions with high user-to-IP ratios.
Cloudflare is developing methods to detect large-scale IP sharing to mitigate unintended negative impacts and improve digital equity, a problem recognized by IETF RFCs.

#security #dist #data

Read original

Cloudflare BlogOct 29, 2025

So long, and thanks for all the fish: how to escape the Linux networking stack

Why it matters: This article details advanced Linux networking challenges when pushing performance boundaries. It highlights how low-level kernel interactions can cause subtle but critical issues, requiring custom solutions to ensure reliable, high-performance network services.

Cloudflare developed "soft-unicast" to share IP subnets across data centers, requiring machines to manage numerous IP/source-port combinations for outgoing connections.
Traditional Linux networking stack tools like iptables and Netfilter's conntrack module presented significant challenges for soft-unicast due to complexity and unexpected interactions.
A custom service, "SLATFATF" (fish), was created to manage soft-unicast IP packet proxying and address leasing, aiming to reduce firewall workload.
A critical issue arose from the collision between Netfilter's conntrack table and kernel socket binding, where conntrack could silently rewrite source ports of TCP sockets, breaking connections.
This collision meant that a socket's source address might not match the actual IP packet's source, leading to connection failures and timeouts.
The final solution for WARP involved terminating TCP connections within the server and proxying them to local sockets with correct soft-unicast addresses, bypassing problematic packet rewriting.

#dist #sre

Read original

Cloudflare BlogOct 29, 2025

Helping protect the 2025 Moldova elections

Why it matters: This article demonstrates the critical role of robust cybersecurity infrastructure in protecting democratic processes from sophisticated state-sponsored cyberattacks. It highlights the effectiveness of advanced DDoS mitigation in maintaining online service availability during high-stakes events.

Cloudflare provided critical cybersecurity support to the Moldovan Central Election Commission (CEC) during the 2025 parliamentary elections amidst foreign interference and digital threats.
Leveraging its Athenian Project expertise, Cloudflare rapidly onboarded CEC websites and deployed mitigation strategies within a week.
On election day, the CEC faced over twelve hours of concentrated, high-volume DDoS attacks, with peaks exceeding 324,000 requests per second.
Cloudflare's automated defenses successfully mitigated over 898 million malicious requests, ensuring the CEC website remained accessible and online.
A broader campaign targeted other Moldovan democracy, media, and civic websites with hundreds of millions of malicious requests.
Moldovan authorities confirmed the successful neutralization of these attacks, attributing the uninterrupted service to Cloudflare's protection.

#security #sre #dist

Read original

Page 9 of 10

Prev 1...7 8 9 10 Next