Curated topic

dist

Posts tagged with dist

Cloudflare BlogMar 5, 2026

Ending the "silent drop": how Dynamic Path MTU Discovery makes the Cloudflare One Client more resilient

Why it matters: Engineers often face 'zombie' connections caused by MTU mismatches and blocked ICMP feedback. By implementing active probing via QUIC, Cloudflare eliminates these silent failures, ensuring robust connectivity across diverse, unmanaged network infrastructures without manual tuning.

Cloudflare One Client now implements Dynamic Path MTU Discovery (PMTUD) to prevent 'black hole' packet loss and connection hangs.
Traditional PMTUD relies on ICMP messages that are frequently blocked by firewalls, leading to silent packet drops.
The new implementation follows RFC 8899, using active probing to interrogation the network path instead of relying on ICMP feedback.
Leveraging the MASQUE protocol and QUIC, the client sends encrypted probes of varying sizes to determine the optimal MTU.
The client dynamically resizes its virtual interface MTU on the fly, ensuring seamless transitions between different network environments like Wi-Fi and LTE.
This active discovery mechanism maintains session stability for mission-critical applications on restrictive or legacy infrastructure.

#security #dist

Read original

Cloudflare BlogMar 5, 2026

A QUICker SASE client: re-building Proxy Mode

Why it matters: This shift solves the performance penalty of SASE proxies by moving from L3 tunneling to direct L4 proxying via QUIC. It doubles throughput and lowers latency, making Zero Trust security transparent to users during high-bandwidth tasks or when coexisting with legacy VPNs.

Cloudflare re-engineered its SASE client proxy mode by replacing the WireGuard-based Layer 3 tunnel with a direct Layer 4 QUIC-based architecture.
The previous implementation relied on smoltcp, a user-space TCP stack that lacked modern features and created a performance ceiling for media-heavy traffic.
The new architecture leverages MASQUE and HTTP/3 (RFC 9114) using the CONNECT method to encapsulate traffic directly into QUIC streams.
By bypassing Layer 3 translation, the client eliminates inefficient IP packet handling and benefits from native QUIC congestion and flow control.
Internal testing demonstrated that download and upload speeds doubled while latency decreased significantly for end-users.
The update specifically improves performance for third-party VPN coexistence, high-bandwidth application partitioning, and developer CLI tools.

#security #dist #sre

Read original

Cloudflare BlogMar 5, 2026

How Automatic Return Routing solves IP overlap

Why it matters: ARR simplifies complex network architectures by eliminating the need for NAT or VRF when handling overlapping private IP spaces. This reduces administrative toil and prevents non-deterministic routing, allowing engineers to scale enterprise backbones without manual IP re-addressing.

Cloudflare introduced Automatic Return Routing (ARR) to resolve IP overlap issues in private enterprise networks without manual configuration.
IP overlap typically arises from mergers and acquisitions, extranet connections, or standardized 'cookie-cutter' site architectures.
Traditional solutions like NAT and VRF are effective but introduce significant administrative overhead and brittle configuration requirements.
ARR utilizes stateful tracking to remember the specific tunnel (IPsec, GRE, or CNI) that initiated a network flow.
By bypassing the routing table for return traffic, ARR ensures symmetric routing even when multiple sites share identical IP addresses.
The 'zero-touch' approach allows overlapping networks to coexist seamlessly without requiring complex route leaking or IP re-addressing.

#dist #security

Read original

Cloudflare BlogMar 4, 2026

Always-on detections: eliminating the WAF “log versus block” trade-off

Why it matters: This shift from binary 'log vs. block' to continuous detection allows engineers to gain deep security insights without impacting latency or risking false positives. It enables more sophisticated, context-aware defenses by correlating full HTTP transactions instead of just inspecting requests.

Cloudflare is introducing an 'always-on' framework that separates WAF detection from mitigation, eliminating the traditional trade-off between visibility and protection.
Attack Signature Detection runs on every request, providing rich metadata including confidence scores, attack categories, and unique Ref IDs without stopping evaluation upon a match.
The system optimizes performance by running detections asynchronously after the request is sent to the origin, unless a specific blocking rule is active.
Full-Transaction Detection is being developed to correlate both requests and responses, enabling the identification of reflective SQL injection and data exfiltration.
Engineers can use new fields like cf.waf.signature.request.confidence and categories to build highly precise security policies in the Edge Rules Engine.
This evolution allows for easier onboarding and tuning by providing complete visibility into which signatures would have fired before switching to blocking mode.

#security #dist

Read original

Cloudflare BlogMar 4, 2026

Moving from license plates to badges: the Gateway Authorization Proxy

Why it matters: This enables identity-based security for unmanaged devices without endpoint agents. Engineers can enforce granular policies and gain visibility in restricted environments like VDI or M&A, bridging the gap between network-level proxying and user-level identity.

Cloudflare introduced the Gateway Authorization Proxy to provide identity-based filtering for unmanaged devices without requiring client software.
The system replaces static IP-based identification with Cloudflare Access-style authentication using signed JWT cookies.
A domain-specific token generation process ensures seamless user authentication across different domains via Cloudflare's global edge network.
New Proxy Auto-Configuration (PAC) File Hosting allows teams to host and manage proxy settings directly on Cloudflare with built-in templates.
The solution supports multiple identity providers simultaneously, facilitating complex environments like mergers and acquisitions.
Identity-aware logging and granular policy enforcement are now possible for browser-based traffic on any device reaching the Internet.

#security #dist

Read original

GitHub EngineeringMar 3, 2026

How we rebuilt the search architecture for high availability in GitHub Enterprise Server

Why it matters: This architectural shift eliminates common failure modes in high-availability setups where search indexes could become locked or corrupted during upgrades. By using native Cross Cluster Replication, engineers gain a more resilient, easier-to-maintain search infrastructure.

GitHub Enterprise Server (GHES) transitioned from a single multi-node Elasticsearch cluster to independent single-node clusters per instance.
The previous architecture allowed primary shards to migrate to read-only replica nodes, causing system locks during maintenance and upgrades.
The new architecture utilizes Elasticsearch’s Cross Cluster Replication (CCR) to synchronize data between independent clusters.
CCR ensures data durability by replicating information only after it has been persisted to the underlying Lucene segments.
A custom bootstrap workflow was developed to attach followers to existing indexes and configure auto-follow for future data.
This shift aligns search infrastructure with the standard leader/follower pattern used across the rest of the GHES platform.

#sre #dist #data

Read original

Cloudflare BlogMar 3, 2026

Evolving Cloudflare’s Threat Intelligence Platform: actionable, scalable, and ETL-less

Why it matters: This architecture demonstrates how to build high-scale, low-latency platforms by moving compute and storage to the edge. By eliminating ETL and using sharded SQLite via Durable Objects, engineers can gain real-time insights from massive datasets without centralized database bottlenecks.

Cloudflare evolved its Threat Intelligence Platform (TIP) to eliminate complex ETL pipelines using a sharded, SQLite-backed architecture.
The platform leverages Cloudflare Workers and Durable Objects to run GraphQL directly at the edge, achieving sub-second query latency.
Data is distributed across thousands of logical shards, allowing for high-volume ingestion and parallel query execution without central bottlenecks.
The system integrates global telemetry with manual investigations to create a single source of truth for proactive threat blocking.
Cloudflare Queues handle asynchronous telemetry ingestion, while R2 provides long-term storage and SQLite handles the hot index for instant retrieval.

#security #dist #data

Read original

Cloudflare BlogMar 3, 2026

Introducing the 2026 Cloudflare Threat Report

Why it matters: Attackers are shifting from complex hacks to high-efficiency exploitation of trusted cloud tools and session tokens. Engineers must move beyond perimeter defense to secure SaaS integrations, identity tokens, and detect 'living off the land' tactics hidden in legitimate enterprise traffic.

Attackers are prioritizing 'Measure of Effectiveness' (MOE), favoring high-throughput tactics like session token theft over expensive, one-off zero-day exploits.
Generative AI is being used to automate high-velocity operations, including real-time network mapping, exploit development, and deepfake persona creation.
Threat actors are 'living off the land' by weaponizing trusted SaaS and IaaS tools like Google Calendar and GitHub to mask command-and-control (C2) traffic.
Over-privileged third-party API integrations create cascading risks, where a single compromised integration can breach hundreds of distinct corporate environments.
Infostealers are increasingly used to harvest active session tokens, allowing attackers to bypass multi-factor authentication (MFA) and move to post-authentication actions.
Hyper-volumetric DDoS attacks, powered by massive botnets like Aisuru, are reaching scales that exhaust infrastructure capacity and minimize human response windows.

#security #dist

Read original

Cloudflare BlogMar 3, 2026

See risk, fix risk: introducing Remediation in Cloudflare CASB

Why it matters: This update bridges the gap between threat detection and response in SaaS environments. By automating remediation through a durable serverless architecture, engineers can eliminate manual cleanup tasks and ensure a consistent security posture across disparate cloud platforms.

Cloudflare CASB now includes Remediation, allowing users to fix risky file-sharing configurations directly from the Cloudflare One dashboard.
The feature initially supports Microsoft 365 and Google Workspace, addressing public links, company-wide sharing, and external access.
Built using Cloudflare Workflows, the system ensures durable execution and handles vendor API rate limits (429s) with native retry logic.
The architecture leverages Workers, Queues, KV, and Hyperdrive to achieve a p50 end-to-end job completion time of 48 seconds.
Remediation actions focus on removing risky sharing permissions without deleting files or changing ownership.
All actions are recorded in Cloudflare One Admin logs, providing an audit trail for security teams and SIEM integrations.

#security #dist

Read original

Engineering at MetaMar 2, 2026

FFmpeg at Meta: Media Processing at Scale

Why it matters: Meta's move from a custom fork to upstream FFmpeg shows how large-scale needs drive open-source evolution. It highlights optimizations in multi-lane transcoding and real-time quality metrics that significantly reduce compute costs and maintenance overhead at massive scale.

Meta processes tens of billions of media files daily, necessitating highly optimized transcoding workflows at massive scale.
The company collaborated with the FFmpeg community to upstream critical features, allowing them to deprecate a long-standing internal fork.
New multi-lane transcoding capabilities enable parallelized encoding of multiple resolutions from a single source, reducing compute overhead.
Upstreamed support for real-time reference quality metrics like VMAF allows for quality monitoring without separate post-processing steps.
Significant refactoring in FFmpeg 6.0 and 8.0 was driven by these scale requirements, improving efficiency for the broader open-source community.

#dist #data

Read original

Page 2 of 22

Prev 1 2 3 4...22 Next