Posts tagged with security
Why it matters: This article highlights how subtle misconfigurations in standard libraries (like Go's HTTP/2 client) can lead to critical interop issues and trigger network defenses, emphasizing the need for deep understanding of protocol implementations.
- •HTTP/2 misconfigurations can lead to denial-of-service attacks like PING floods, triggering defenses such as Cloudflare's ENHANCE_YOUR_CALM GOAWAY frame.
- •An internal microservice communication issue was traced to a Go standard library HTTP/2 client sending excessive PINGs, causing connection closures.
- •The problem stemmed from a subtle interaction between Go's http.Transport PingTimeout and ReadIdleTimeout settings, leading to continuous PINGs.
- •Debugging required "on the wire" analysis using packet captures or GODEBUG=http2debug=2 logging to identify the client's actual behavior.
- •Proper configuration, ensuring PingTimeout is longer than ReadIdleTimeout or disabled when ReadIdleTimeout handles liveness, is crucial to prevent such HTTP/2 PING floods.
Why it matters: This matters because it provides a scalable, trustworthy method for authenticating bots and agents, crucial for securing web infrastructure and enabling new agentic applications. It moves beyond unreliable IP lists, enhancing security and operational control for website operators.
- •A new registry format is proposed for bots and agents to enable easy discovery of public keys for cryptographically signed requests.
- •This format expands on the Web Bot Auth protocol, moving beyond brittle IP-based identification to more trustworthy cryptographic authentication.
- •The registry will consist of URLs pointing to agent keys, allowing website operators to verify bot identities at scale.
- •It aims to create an open ecosystem where anyone can curate and host lists of known signature agents.
- •A complementary "signature-agent card" format is also introduced to provide essential metadata about agents, such as contact details and operational characteristics.
Why it matters: This article is crucial for engineers working on security, privacy, and identity systems. It highlights the urgent need to integrate post-quantum cryptography into Anonymous Credentials to protect against future quantum attacks and ensure privacy in digital identity solutions.
- •The internet is migrating to post-quantum (PQ) cryptography, a complex transition requiring new, higher-cost algorithms like ML-KEM and ML-DSA, not simple drop-in replacements.
- •Anonymous Credentials (ACs) are vital for privacy, enabling attribute proof without over-sharing, but current AC schemes are vulnerable to quantum attacks.
- •Digital identity systems, like the EU wallet, need robust unlinkability for privacy; PQ-safe ACs offer a cryptographic solution superior to organizational policies.
- •The "store-now/harvest-later" threat necessitates urgent development of PQ-safe ACs to ensure their long-term viability and prevent obsolescence upon mass adoption.
- •While PQ TLS migration progresses, ACs present a greater challenge, demanding efficient PQ replacements or significant re-engineering for scale and privacy.
Why it matters: As AI agents reshape web interactions, engineers need privacy-preserving security solutions. Anonymous credentials offer a critical mechanism to manage agent traffic, prevent abuse, and ensure fair access without compromising user data, crucial for the evolving AI-driven internet.
- •The rise of AI agents is rapidly changing web traffic patterns, necessitating new security approaches beyond traditional bot defenses.
- •Existing coarse-grained bot detection methods risk inadvertently blocking legitimate users when applied to shared AI agent platforms.
- •Anonymous credentials (AC) are proposed as a privacy-preserving solution for rate-limiting and blocking malicious agents without user identification or tracking.
- •AC allows website operators to enforce fine-grained security policies while maintaining user privacy, crucial for the evolving web.
- •The IETF is developing anonymous credentials as a standard, with Cloudflare actively contributing to its real-world deployment.
- •A practical example demonstrates building an AI agent using Cloudflare Workers, Workers AI, and Browser Rendering with Stagehand to illustrate agent interactions.
Why it matters: This article highlights critical DDoS vulnerabilities in QUIC's ACK handling, emphasizing the importance of robust validation in transport protocols for network fairness and security. Engineers gain insight into preventing sophisticated amplification attacks.
- •Cloudflare's open-source QUIC implementation, quiche, was found to have two DDoS vulnerabilities (CVE-2025-4820, CVE-2025-4821) related to ACK handling.
- •These vulnerabilities included a lack of ACK range validation and susceptibility to 'Optimistic ACK' attacks, allowing an attacker to artificially expand an endpoint's send rate.
- •Exploiting these flaws could lead to DDoS attacks by increasing server CPU utilization and amplifying network traffic.
- •Cloudflare promptly patched the affected infrastructure; quiche versions prior to 0.24.4 were vulnerable, though no evidence of exploitation was found.
- •The mitigation for Optimistic ACK attacks involves a dynamic, CWND-aware skip frequency that scales with a connection’s send rate.
- •Robust ACK validation is crucial for Internet protocols like QUIC to ensure fair network usage, prevent subversion of congestion control signals, and maintain performance.
Why it matters: This article details how Cloudflare built a high-performance VPN using Linux networking, offering practical insights into NAT, Netfilter, and conntrack for engineers developing secure, scalable network solutions.
- •Cloudflare's WARP app required building a high-performance, mobile-first VPN solution for secure packet egress from edge machines.
- •The initial WARP implementation functioned as a Layer 3 VPN, encapsulating private IP packets within public ones for secure tunneling.
- •Linux's Netfilter subsystem, configured via nftables, was used to implement Network Address Translation (NAT) for routing VPN client traffic.
- •A key aspect involved setting up source NAT rules to rewrite client IP addresses to the server's public IP for outgoing packets.
- •The conntrack module in Linux Netfilter is crucial for stateful NAT, managing TCP/UDP connections and port reuse efficiently.
Why it matters: Engineers must understand that IP addresses no longer reliably identify single users due to CGNAT. Failing to detect large-scale IP sharing can lead to unintended collateral damage, disproportionately affecting users in developing regions and causing significant operational and security issues.
- •Traditional IP-based security mechanisms (blocklists, rate-limiting) assume a single IP represents a single user, an assumption no longer valid due to widespread CGNAT, VPNs, and proxies.
- •Carrier-Grade NAT (CGNAT) allows ISPs to share a single IPv4 address among hundreds or thousands of users, primarily driven by IPv4 address exhaustion, especially in developing regions.
- •This large-scale IP sharing creates significant collateral damage, leading to socioeconomic bias where security actions disproportionately affect users in regions with high user-to-IP ratios.
- •Cloudflare is developing methods to detect large-scale IP sharing to mitigate unintended negative impacts and improve digital equity, a problem recognized by IETF RFCs.
Why it matters: This article demonstrates the critical role of robust cybersecurity infrastructure in protecting democratic processes from sophisticated state-sponsored cyberattacks. It highlights the effectiveness of advanced DDoS mitigation in maintaining online service availability during high-stakes events.
- •Cloudflare provided critical cybersecurity support to the Moldovan Central Election Commission (CEC) during the 2025 parliamentary elections amidst foreign interference and digital threats.
- •Leveraging its Athenian Project expertise, Cloudflare rapidly onboarded CEC websites and deployed mitigation strategies within a week.
- •On election day, the CEC faced over twelve hours of concentrated, high-volume DDoS attacks, with peaks exceeding 324,000 requests per second.
- •Cloudflare's automated defenses successfully mitigated over 898 million malicious requests, ensuring the CEC website remained accessible and online.
- •A broader campaign targeted other Moldovan democracy, media, and civic websites with hundreds of millions of malicious requests.
- •Moldovan authorities confirmed the successful neutralization of these attacks, attributing the uninterrupted service to Cloudflare's protection.
Why it matters: Agent HQ unifies diverse AI coding agents directly within GitHub, streamlining development workflows. This integration provides a central command center for agent orchestration, enhancing productivity, code quality, and control over AI-assisted processes for engineers.
- •GitHub introduces Agent HQ, an open ecosystem integrating various AI coding agents (Anthropic, OpenAI, Google, etc.) directly into the GitHub platform.
- •Agents will be native to the GitHub workflow, accessible via a paid GitHub Copilot subscription, enhancing existing development processes.
- •A new "mission control" provides a central hub to assign, steer, and track multiple agents, streamlining complex tasks.
- •Enhanced VS Code integration allows for planning and customizing agent behavior, improving developer control.
- •Enterprise features include agentic code review, a control plane for AI governance, and a metrics dashboard to monitor AI impact.
- •The initiative aims to orchestrate specialized agents for parallel task execution, leveraging familiar GitHub primitives like Git and pull requests.
Why it matters: This framework helps engineers understand and quantify network resilience, moving beyond abstract concepts to actionable metrics. It provides insights into securing routing, diversifying infrastructure, and building more robust systems to prevent catastrophic outages.
- •Internet resilience is the measurable ability of a network ecosystem to maintain diverse, secure routing paths and rapidly restore connectivity after disruptions, beyond just uptime.
- •The Internet's decentralized structure means local decisions by Autonomous Systems (ASes) collectively determine global resilience, emphasizing diverse and secure interconnections.
- •Resilience requires a multi-layered approach: diverse physical infrastructure, robust network routing hygiene (BGP, RPKI, ROV), and application-level optimizations like CDNs.
- •Route hygiene, particularly RPKI and Route Origin Validation, is crucial for securing BGP routing against hijacks and leaks, preventing widespread outages.
- •The article proposes a data-driven framework to quantify Internet resilience using public data, aiming to foster a more reliable and secure global network.