Cloudflare on Wirez

Cloudflare's 500 Tbps capacity stops 31.4 Tbps attacks

Fri, 10 Apr 2026 00:00:00 +0000

Cloudflare now commands 500 Tbps of external capacity across 330+ cities, reserving the surplus explicitly as a DDoS budget. You will examine the sheer physical reality of this global backbone, dissect the packet processing pipeline using eBPF and XDP for line-rate filtering, and explore how Workers and RPKI validate routes at the edge.

Cloudflare edge shift: Why 2MB cache matters

Mon, 23 Mar 2026 00:00:00 +0000

Cloudflare's new Gen 13 servers cut per-core L3 cache to just 2MB, a sixth of the previous generation's allocation. A tour inside cloudflares latest generation servers This hardware reality forces a fundamental architectural pivot: high-density edge infrastructure can no longer rely on massive caches to mask software inefficiencies. The era of cache-heavy reliance is over, replaced by a core-dense model where performance scales strictly through software optimization and thread isolation.

ASPA validation stops Cloudflare route hijacks now

Sat, 14 Mar 2026 00:00:00 +0000

Cloudflare, handling over 20% of global traffic, now validates BGP paths to stop leaks that origin checks miss. Cloudflare's white house routing security ASPA closes the critical security gap between simple route origin validation and full path verification by cryptographically authorizing upstream providers. While the broader network security market races toward $47.37 billion by 2031, core internet infrastructure still relies on trust-based protocols vulnerable to detours. Readers will learn why validating the AS_PATH chain is essential when standard RPKI mechanisms fail to detect unauthorized intermediate hops. We examine how Cloudflare's March 2026 implementation allows networks to publish authorized provider lists, ensuring traffic traverses only approved chains. The discussion details the operational steps for creating ASPA objects and monitoring their propagation to eliminate route leaks.

PMTUD black holes stall your video calls now

Thu, 05 Mar 2026 00:00:00 +0000

When packets exceed 1500 bytes, Cloudflare's 2026 data confirms that silent ICMP drops create a zombie state where connections hang indefinitely. Cloudflare's client dynamic path mtu discovery The industry must abandon fragile reliance on legacy feedback loops in favor of Dynamic Path MTU Discovery to ensure connectivity across restrictive modern networks. This article details how active probing architectures utilizing QUIC and MASQUE protocols bypass firewall restrictions that traditionally block essential size-limit notifications. We examine the mechanics of the PMTUD Black Hole, specifically how encrypted overhead in FIPS 140-2 compliant clients exacerbates fragmentation issues on LTE/5G and FirstNet links. Furthermore, we outline enterprise deployment strategies for hybrid environments, demonstrating how shifting from static configurations to dynamic discovery prevents data streams from failing during critical video calls or large file transfers. By adopting these methods, organizations can finally resolve the decades-old conflict between rigid infrastructure expectations and the reality of variable path limits without sacrificing security metadata.

Routing fixes for duplicate private IP chaos now

Thu, 05 Mar 2026 00:00:00 +0000

With 20% of global Internet traffic now handled by Cloudflare, duplicate private IPs create immediate routing failures that break return paths. Cloudflare's automatic return routing ip overlap Automatic Return Routing eliminates the need for complex NAT or VRF configurations by using stateful flow tracking to correctly route traffic in overlapping networks.

Cloudflare remediation stops SaaS link risks fast

Tue, 03 Mar 2026 00:00:00 +0000

Cloud attacks surged 26% in 2024, proving that visibility without automated remediation is merely a delay tactic. Cloudflare's casb ga The narrative explores how security teams can finally bypass the friction of manual ticketing and external admin consoles by using Remediation actions directly inside the Cloudflare One dashboard. Instead of flagging overshared files in Microsoft 365 or Google Workspace and waiting for IT to respond, administrators can now instantly revoke public links or restrict domain-wide access with a single click. This capability addresses the critical gap where dangerous configurations persist simply because the fix requires too many steps across disjointed interfaces.

Validation errors break blackhole routes now

Sun, 01 Mar 2026 00:00:00 +0000

Bryton Herdes warns that relaxing maxLength protections for blackhole routes creates a direct path for BGP hijacks.

The central thesis is that networks must strictly pair originAS-only validation with the mandatory presence of the BLACKHOLE community to prevent security degradation. While the global network security market races toward USD 205.98 billion by 2031, basic BGP hygiene remains fragile without these specific constraints. Herdes, a Principal Network Engineer at Cloudflare, argues that vendors offering shortcut configurations for loose validation directly undermine RFC9319 standards. Cloudflare's rpki 2020 fall update

ASPA records prove your upstream provider ties

Fri, 27 Feb 2026 00:00:00 +0000

Cloudflare handles over 20% of global Internet traffic, yet standard BGP routing remains vulnerable to undetected path manipulation. Cloudflare's bgp hijack detection The deployment of ASPA records under RFC 9582 represents the critical shift from verifying only traffic origins to validating the entire transmission path against configuration errors and malicious leaks. While ROA systems successfully mitigate origin hijacks, they fail to detect when traffic traverses unauthorized intermediate networks, a gap this new cryptographic standard explicitly closes.

Cloudflare data reveals origin server lag today

Fri, 27 Feb 2026 00:00:00 +0000

Over 60% of client connections now support post-quantum encryption, yet origin server readiness remains the critical blind spot. Cloudflare radars 2023 overview of new tools and insights Cloudflare Radar exposes this disconnect by shifting visibility from edge metrics to the actual security posture of customer infrastructure. The platform's latest update argues that true durability requires auditable proof of hybrid key exchange deployment and rigorous routing security validation, not just theoretical compatibility.

Physical damage now drives global internet loss

Mon, 26 Jan 2026 00:00:00 +0000

Only one government shutdown occurred in Q4 2027, proving physical fragility now drives global connectivity loss more than political censorship. While 2025 saw a record 212 state-imposed outages across 28 countries, the final quarter marked a decisive shift where cable damage, power failures, and routine operational errors became the dominant disruptors. This transition highlights that the internet's greatest vulnerability is no longer the kill switch, but the decaying infrastructure supporting.

Route leak lessons: What the 25-minute Cloudflare outage...

Fri, 23 Jan 2026 00:00:00 +0000

A single automation error triggered a 25-minute BGP route leak that disrupted IPv6 traffic across Cloudflare's Miami infrastructure on January 22, 2026. Cloudflare's route leak incident january 22 2026 This incident highlights that despite industry progress, manual configuration errors remain a critical vulnerability in global routing stability. Readers will learn the precise mechanics of RFC 7908 violations, analyze the specific AS path anomalies involving AS13335, and explore how RFC 9234 adoption offers a viable path toward automated prevention.

Iran Network Blackout: Routing Withdrawn Fast

Tue, 13 Jan 2026 00:00:00 +0000

Iran's internet traffic collapsed by nearly 90% on January 8 as the state executed a near-total digital blackout. This event marks a strategic pivot from temporary censorship to permanent digital isolation, effectively severing the domestic network from global infrastructure to crush dissent. Cloudflare Radar data confirms that connectivity did not merely degrade; it was surgically dismantled through coordinated protocol suppression. Cloudflare's iran protests internet shutdown

Route leak mechanics: Not spyware, just code

Tue, 06 Jan 2026 00:00:00 +0000

Eleven distinct route leak events since December confirm AS8048 instability, not espionage.

The January 2 anomaly involving Nicolás Maduro's arrest was merely the latest symptom of CANTV's chronic misconfiguration rather than a targeted intelligence operation. Instead of malicious interception, the data points to a systemic failure to restrict route propagation beyond intended business relationships.