Understanding and mitigating NTP-based DDoS attacks
Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks.
View ArticleCloudFlare Transparency Report on National Security Orders
Earlier today, the Department of Justice and the Director of National Intelligence announced a change in rules governing the disclosure of National Security Orders, including National Security Letters...
View ArticleTechnical Details Behind a 400Gbps NTP Amplification DDoS Attack
On Monday we mitigated a large DDoS that targeted one of our customers. The attack peaked just shy of 400Gbps. We've seen a handful of other attacks at this scale, but this is the largest attack we've...
View ArticleIt's Go Time on Linux
Some interesting changes related to timekeeping in the upcoming Go 1.3 release inspired us take a closer look at how Go programs keep time with the help of the Linux kernel. Timekeeping is a complex...
View ArticleThe weird and wonderful world of DNS LOC records
A cornerstone of CloudFlare's infrastructure is our ability to serve DNS requests quickly and handle DNS attacks. To do both those things we wrote out own authoritative DNS server called RRDNS in Go....
View ArticleIntroducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root
This post is about a new feature we've been quietly rolling out over the last few months. Last week we began enabling it for everyone by default. It's called CNAME Flattening and it's a bit geeky, but...
View ArticleAnswering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
The widely-used open source library OpenSSL revealed on Monday it had a major bug, now known as “heartbleed". By sending a specially crafted packet to a vulnerable server running an unpatched version...
View ArticleThe Heartbleed Aftermath: all CloudFlare certificates revoked and reissued
Eleven days ago the Heartbleed vulnerability was publicly announced.
View ArticleSearching for The Prime Suspect: How Heartbleed Leaked Private Keys
Within a few hours of CloudFlare launching its Heartbleed Challenge the truth was out. Not only did Heartbleed leak private session information (such as cookies and other data that SSL should have been...
View ArticleBPF - the forgotten bytecode
Every once in a while I run into an obscure computer technology that is a hidden gem, which over the years has become mostly forgotten. This is exactly how I feel about the tcpdump tool and its kernel...
View ArticleCloudFlare is PCI Certified
Great news for everyone using CloudFlare on an e-commerce site, or a site accepting or processing credit card transactions.
View ArticleEliminating the last reasons to not enable IPv6
Today is June 6. For the last two years, the date has been celebrated as World IPv6 Day. CloudFlare has offered full IPv6 support as well as our IPv6-to-IPv4 gateway since 2012. In preparation for this...
View ArticleCloudFlare's 25th data center turns up to ease collective disappointment of...
After a drubbing earlier today of La Roja by The Flying Dutchmen, we felt obliged to deliver at least one piece of good news to the 34 million fútbol-loving Internet users in Spain: CloudFlare's 25th...
View ArticleMaking code better with reviews
In the past we've written about how CloudFlare isn't afraid to rip out and replace chunks of code that have proved to be hard to maintain or have simply reach end of life. For example, we wrote a brand...
View ArticleIntroducing the BPF Tools
In a recent article I described the basic concepts behind the use of Berkeley Packet Filter (aka BSD Packet filter or BPF) bytecode for high performance packet filtering, and the xt_bpf iptables...
View ArticleIntroducing CFSSL - CloudFlare's PKI toolkit
Today we’re proud to introduce CFSSL—our open source toolkit for everything TLS/SSL. CFSSL is used internally by CloudFlare for bundling TLS/SSL certificates chains, and for our internal Certificate...
View ArticleExperimenting with mozjpeg 2.0
One of the services that CloudFlare provides to paying customers is called Polish. Polish automatically recompresses images cached by CloudFlare to ensure that they are as small as possible and can be...
View ArticleCloudFlare Now Supports WebSockets
I'm pleased to announce that CloudFlare now supports WebSockets. The ability to protect and accelerate WebSockets has been one of our most requested features. As of today, CloudFlare is rolling out...
View ArticleGo interfaces make test stubbing easy
Go's "object-orientation" approach is through interfaces. Interfaces provide a way of specifying the behavior expected of an object, but rather than saying what an object itself can do, they specify...
View ArticleHow Stacks are Handled in Go
At CloudFlare, We use Go for a variety of services and applications. In this blog post, We're going to take a deep dive into some of the technical intricacies of Go.
View ArticleShellshock protection enabled for all customers
On Thursday, we rolled out protection against the Shellshock bash vulnerability for all paying customers through the CloudFlare WAF. This protection was enabled automatically and immediately starting...
View ArticleIntroducing Universal SSL
The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have...
View ArticleHackers Exploiting the System with Shellshock
A look inside a very scary security hack.
View ArticleInside Shellshock: How hackers are using it to exploit systems
Inside Shellshock: How hackers are using it to exploit systems
View ArticleUniversal SSL: How It Scales
On Monday, we announced Universal SSL, enabling HTTPS for all websites using CloudFlare’s Free plan.
View Article