February 2023 Summaries
13 posts from Cloudflare
Filter
Month:
Year:
Post Summaries
Back to Blog
In this blog post, we introduced BigPineapple, a platform that leverages WebAssembly (Wasm) and Rust to power 1.1.1.1, one of Cloudflare's flagship products. We discussed the reasons behind building such a sandboxed environment, and how it improves on previous designs by providing isolation, security, and portability.
The BigPineapple platform uses Wasm as its foundation, which allows running code in a secure sandbox. This means that even if an app has a bug or is malicious, it won't be able to compromise the host system. Furthermore, Wasm apps can run on any platform that supports WebAssembly, without needing recompilation, which makes them portable across different architectures and operating systems.
To illustrate how this sandboxed environment works, we introduced a pseudo code for implementing pollable functions in Rust. This example shows how to implement a pollable function in Rust to enable asynchronous programming using Wasm (Wasm) host calls.
In the section of this blog post, we discussed the reasons behind building such a sandboxed environment, and how it improves on previous designs by providing isolation, security, and portability.
In the Sandbox section of this blog post, we introduced Rust as our choice for writing code that runs inside such environments. By doing so, we are not only improving upon the previous design approaches but also making it easier for developers who want to write high-quality performance programs that take advantage of asynchronous programming features functionalities provided by WebAssembly (Wasm)) and Rust respectively.
Feb 28, 2023
4,375 words in the original blog post.
- NGINX is a popular reverse proxy and HTTP cache.
- Cloudflare uses NGINX for several features such as rate limiting, WAF rules, and WebSockets proxying.
- ROFL (Rate-Optimized Functional Language) is an application layer language designed by the Cloudflare team to handle HTML rewriting tasks in a memory-safe manner.
- The main motivation for building ROFL was that Rust was seen as a better choice than LuaJIT due to its safety and speed.
- ROFL has been tested with real customer traffic, showing promising results.
REF: https://blog.cloudflare.com/rofl-nginx-rust/```
Feb 24, 2023
4,030 words in the original blog post.
The conflict between Russia and Ukraine has caused significant damage to physical infrastructure, including fiber-optic cables and mobile networks, which are crucial for maintaining internet access. Despite this damage, Ukrainian internet service providers (ISPs) have been able to reroute traffic through other routes or use satellite internet connections as backup options, demonstrating the resilience of Ukraine's internet infrastructure. This has enabled people in Ukraine to continue communicating and sharing information during the ongoing conflict.
Source: Cloudflare Radar - https://blog.cloudflare.com/one-year-of-russian-ukrainian-conflict-and-the-internet/
```
SUMMARY:
Feb 23, 2023
4,874 words in the original blog post.
The rising threat of cyber attacks has made it essential for companies to adopt proactive strategies in their approach to cybersecurity. As remote or hybrid work becomes the norm, businesses are recognizing that traditional perimeter-based security models are no longer sufficient. Zero Trust, a concept based on verifying the identity and trustworthiness of all users, devices, and systems accessing networks and data, has emerged as an effective strategy to ensure cybersecurity resilience.
While many organizations have begun implementing Zero Trust methods and technologies, only some have fully implemented them throughout the organization. To overcome implementation challenges and provide clear leadership, the role of Chief Zero Trust Officer (CZTO) is becoming increasingly common in large enterprises. The CZTO will lead the Zero Trust initiative, align teams, and break down barriers to achieve a smooth rollout, emphasizing the importance of Zero Trust in the company.
Feb 21, 2023
1,375 words in the original blog post.
Cloudflare has announced the deprecation of version 1 of its CLI tool, Wrangler. Developers are urged to upgrade to version 2 for continued support and updates. The decision comes after a total rewrite of Wrangler, which aimed to simplify common workflows, incorporate powerful tools, and align with Cloudflare's goals for development on its platform. A migration guide is available to assist users in upgrading.
Feb 16, 2023
476 words in the original blog post.
The Super Bowl LVII had a significant impact on internet traffic levels in cities hosting NFL teams and their respective states. In both Arizona, where the game took place, and Pennsylvania, home of the Philadelphia Eagles, there were clear drops in internet traffic at key moments during the match, such as before the start of play, during the halftime show by Rihanna, and after the final whistle.
The impact was most pronounced during Rihanna’s performance, with traffic dropping across all states with NFL teams. In Pennsylvania, it fell to 33% below its usual level at that time, while in Arizona, it reached a low point of 29%. Traffic levels quickly returned to normal after the game ended.
The data also indicates that Internet traffic dips during major events like the Super Bowl and halftime shows, suggesting that people are less likely to browse online during such times.
Feb 13, 2023
3,228 words in the original blog post.
Over the weekend, numerous record-breaking HTTP/2-based DDoS attacks were detected and mitigated by Cloudflare. The largest attack exceeded 71 million requests per second (rps), making it the highest reported HTTP DDoS attack on record, significantly surpassing the previous peak of 46M rps from June 2022. These attacks originated from over 30,000 IP addresses and targeted websites protected by Cloudflare. The affected sites included popular gaming providers, cryptocurrency companies, hosting providers, and cloud computing platforms.
As more DDoS attacks emerge from cloud computing providers, Cloudflare plans to provide a free Botnet threat feed for service providers that own their autonomous system. This feed will offer IP space-specific threat intelligence on attacks.
The frequency, sophistication, and size of DDoS attacks have been increasing, with HTTP DDoS attack numbers rising by 79% year over year. In November 2022, one out of every four surveyed customers faced Ransom DDoS attacks or threats. To defend against these attacks, organizations should ensure proper settings for managed rules and consider enabling adaptive DDoS protection, deploying firewall rules and rate limiting rules, utilizing Bot Management threat scores in firewall rules, and enabling alert systems.
Feb 13, 2023
1,231 words in the original blog post.
In a recent announcement, Cloudflare revealed Wildebeest - an open-source project that aims to make it easier for developers to create Mastodon-compatible servers. Mastodon is a popular open-source social network system, often seen as an alternative to Twitter. It's designed in such a way that allows people to host their own social networks and connect them together.
Wildebeest was created by Cloudflare after the company had experienced issues with its previous hosting provider for Mastodon. The announcement also mentioned that Wildebeest is powered entirely by Cloudflare's products, including Workers, Pages, R2 storage, and more. This showcases the power and versatility of these tools when used together effectively.
In addition to providing an easy-to-use platform for creating Mastodon servers, Wildebeest also offers several benefits such as increased performance, scalability, security enhancements, etc. For instance, it uses Cloudflare's global network to serve content quickly and efficiently regardless of where the user is located geographically.
Furthermore, unlike some other hosting platforms which can be quite complex and difficult to navigate for beginners, Wildebeest aims to simplify this process by providing clear instructions and tutorials on how to get started with setting up a Mastodon server from scratch. This makes it an ideal choice for developers who are new to the world of social networking or those who want to try out their hand at creating their own community platform.
Overall, the introduction of Wildebeest is an exciting development that has the potential to significantly impact the way we interact with online communities in the future. By making it easier and more accessible for developers to create Mastodon-compatible servers, Cloudflare hopes to contribute towards building a healthier, more decentralized internet ecosystem where everyone can have their own voice heard without being subjected to undue censorship or manipulation from large corporations or governments.
While there are still many challenges that need to be addressed before this vision becomes fully realized, the launch of Wildebeest represents an important first step towards achieving this goal and paving the way for a brighter digital future for all.
Feb 08, 2023
4,270 words in the original blog post.
On February 2, an unusual bandwidth throttle was applied by a Cloudflare engineer to a customer's website, causing it to become unusable. This throttle was mistakenly believed by the support team to be due to a breach of their agreement, but the customer was actually following their plan and not in violation. The incident resulted in internal confusion and poor communication between teams at Cloudflare. They are now establishing clear rules for such actions with multiple levels of approval and improving tooling to reflect this. They also aim to improve terms of service and provide clear explanations to users about permitted services under self-service plans.
Feb 07, 2023
820 words in the original blog post.
Cloudflare has announced enhancements to its HTTP alerting feature, allowing customers more flexibility and customization options. Previously, HTTP alerts were generic with limited filtering capabilities. The new advanced HTTP alerts enable users to filter and organize notifications based on origin response status codes, edge response status codes, alert sensitivity/SLO, client IPv4/IPv6 addresses, and specific zones. These improvements provide more sophisticated monitoring options for customers, helping them answer important questions about their traffic patterns and investigate potential issues. The new features are available to all Enterprise customers and can be set up by account-level administrators.
Feb 03, 2023
443 words in the original blog post.
Cloudflare has announced new egress policy controls for administrators to manage which dedicated egress IP is used and when. This feature offers more control over traffic validation methods, even as organizations adopt modern, cloud-delivered proxy services like secure web gateways (SWGs) and deprecate their complex on-premise appliances. Enterprise customers can use a rule builder in the Cloudflare dashboard to create rules based on attributes such as identity, application, IP address, and geolocation. These policies enhance user experience and security for organizations with hybrid work environments while reducing reliance on VPNs.
Feb 03, 2023
1,135 words in the original blog post.
In November 2022, a critical vulnerability was reported to Cloudflare's bug bounty program. The issue involved using DNS records based on IPv4-mapped IPv6 addresses to bypass network policies and access ports on loopback addresses of servers. Upon receiving the report, Cloudflare's Security Incident Response Team (SIRT) quickly deployed a hotpatch within three hours to prevent exploitation. An investigation revealed that the vulnerability was caused by two bugs in their internal DNS and HTTP systems. To remediate the issue, a fix was implemented in the proxy service to validate IP addresses correctly. No evidence of previous exploitation was found, and regular security reviews and audits continue to enhance Cloudflare's services.
Feb 02, 2023
1,091 words in the original blog post.
Healthcare organizations worldwide have been targeted by pro-Russian hacktivist group Killnet, prompting an increase in requests for assistance mitigating these types of attacks. The rise in political tensions and the conflict in Ukraine have contributed to this growing cybersecurity threat landscape. Distributed-denial-of-Service (DDoS) attacks do not require intrusion or a foothold in the target network, making them more accessible than ever before. While Cloudflare has been automatically detecting and mitigating these attacks on behalf of its customers, additional precautionary measures are recommended to improve security posture, including enabling adaptive DDoS protection, deploying firewall rules, and caching as much data as possible. Defenders who leverage automated defenses have a significant advantage over those who do not.
Feb 02, 2023
647 words in the original blog post.