February 2024 Summaries
17 posts from Cloudflare
Filter
Month:
Year:
Post Summaries
Back to Blog
Cloudflare has been part of an industry-wide effort to mitigate two critical DNSSEC vulnerabilities that exposed significant risks to critical infrastructures providing DNS resolution services. The company's public resolver 1.1.1.1 service was protected from both vulnerabilities before they were disclosed and is safe today. These vulnerabilities do not affect Cloudflare's Authoritative DNS or DNS firewall products. All major DNS software vendors have released new versions of their software, and all other major DNS resolver providers have also applied appropriate mitigations. Users are advised to update their DNS resolver software immediately if they haven't done so already. The Keytrap vulnerability (CVE-2023-50387) involves a malicious actor crafting a DNS response with multiple keys having the same key tag, causing additional work for DNS resolvers by trying every combination when validating responses. Mitigation includes limiting the maximum number of keys accepted at a zone cut and adding signature validations limits per RRSET and total signature validations limit per resolution task. The NSEC3 iteration and closest encloser proof vulnerability (CVE-2023-50868) involves a malicious DNS response from an authoritative DNS server setting high NSEC3 iteration counts and long DNS names with multiple labels to exhaust the computing resources of a validating resolver. Mitigation includes adding a limit for total hash calculations per resolution task to answer a single DNS question.
Feb 29, 2024
1,324 words in the original blog post.
Polyfill.io, a popular JavaScript library that helps developers work against a uniform environment by nullifying differences across old browser versions, has launched an alternative endpoint under cdnjs. This move aims to provide additional options for using polyfill and addresses concerns raised by the community following the transition of the domain polyfill.io to a new provider. The full implementation of polyfill.io is now available at https://cdnjs.cloudflare.com/polyfill/. Instructions on how to deploy a Cloudflare Worker for updating links are also provided.
Feb 29, 2024
897 words in the original blog post.
Cloudflare's Zaraz is transitioning out of beta and becoming available to all users. It helps manage and optimize third-party tools on websites without compromising speed, privacy, or security. The new pricing system for Zaraz will take effect on April 15, 2024. One significant change is the introduction of Zaraz Events as a metric for pricing. Every Cloudflare account can use 1,000,000 Zaraz Events per month for free. If more are needed, every additional 1,000,000 Zaraz Events cost $5 USD with volume discounting available for Enterprise accounts. All features of Zaraz will be available to all users regardless of their plan size. The new pricing model makes Zaraz an affordable and user-friendly solution for server-side loading of tools and tags compared to other third-party managers and tag management software.
Feb 29, 2024
745 words in the original blog post.
Cloudflare has open sourced Pingora, its Rust framework used for building services that power significant portions of traffic on the platform. The Apache License version 2.0-licensed Pingora is an async multithreaded framework designed to assist in constructing HTTP proxy services. It has handled nearly a quadrillion Internet requests across Cloudflare's global network since its last blog post.
The release of Pingora aims to help build a better and more secure internet beyond Cloudflare's infrastructure, providing tools, ideas, and inspiration for customers, users, and others to build their own internet infrastructure using a memory-safe framework. Collaborating with the Internet Security Research Group (ISRG) Prossimo project, Pingora is expected to advance adoption in critical internet infrastructure.
Pingora provides libraries and APIs to build services on top of HTTP/1 and HTTP/2, TLS, or just TCP/UDP. It supports HTTP/1 and HTTP/2 end-to-end, gRPC, and websocket proxying, with HTTP/3 support planned for the future. Pingora also offers customizable load balancing and failover strategies, as well as compatibility with OpenSSL and BoringSSL libraries for security and compliance purposes.
The open source framework is beneficial for those prioritizing security, performance-sensitive services, or requiring extensive customization. It provides filters and callbacks to allow users to fully customize how the service should process, transform, and forward requests. Pingora also supports zero downtime graceful restarts and integration with observability tools like Syslog, Prometheus, Sentry, OpenTelemetry, etc.
A simple load balancer example demonstrates Pingora's programmable API, highlighting its potential for building customized gateways or load balancers. The framework is not an executable binary but a library and toolset that can be used to power various applications. While the API stability is not guaranteed at this stage, support for non-Unix based operating systems is not currently on the roadmap.
Contributions are welcome via GitHub issue tracker or pull requests following the contribution guide.
Feb 28, 2024
1,447 words in the original blog post.
Cloudflare has announced 17 new AI models for its Workers platform, focusing on text generation, classification, code generation, image-to-text, and text-to-image tasks. The total number of AI models in the catalog is nearing 40, prompting a revamp of developer documentation to enable users to easily search and discover new models. Among the new additions are large language models (LLMs) such as falcon-7b-instruct, discolm_german_7b, and qwen1.5, which offer improved language support and innovative use of multi-query attention for high-precision responses. Additionally, new image generation models like Stable Diffusion XL Lightning have been introduced to enable powerful new image editing and generation use cases.
Feb 28, 2024
1,209 words in the original blog post.
Today, Cloudflare and Elastic announced new dashboards for their shared customers using Elastic's platform. These pre-built dashboards enable users to store, search, and analyze Zero Trust logs generated by Cloudflare. The integration provides comprehensive visibility into events related to Zero Trust, field normalization, efficient search and analysis capabilities, correlation and threat detection, and prebuilt dashboards tailored for each type of Zero Trust log. This collaboration aims to help organizations adopt a Zero Trust architecture more effectively and efficiently while strengthening their security posture.
Feb 22, 2024
1,079 words in the original blog post.
The EU Digital Services Act (DSA), which came into force on February 17, 2024, is a landmark piece of legislation that updates the 20-year-old EU e-commerce Directive. It sets out enhanced regulatory requirements for large digital platforms and affects both European users who create and disseminate online content and tech companies acting as intermediaries on the Internet. The DSA maintains strong liability protections for intermediary services, modernizing them to include important roles in the functioning of the Internet such as CDNs, reverse proxies, and technical services at the DNS level. It also establishes varying degrees of due diligence and transparency obligations for different service providers, with a proportionate approach that safeguards principles of proportionality, freedom of speech, and access to information. Cloudflare has engaged with European policymakers on intermediary liability and feels well-prepared to address the DSA's requirements.
Feb 19, 2024
920 words in the original blog post.
Cloudflare's Bot Management utilizes machine learning models to detect and mitigate automated bot traffic. The company constantly improves these models, incorporating the latest threat intelligence. Monitoring plays a crucial role in ensuring that the models continue to generalize with new threats, browsers, and bots. Machine learning monitoring provides insights into how the model behaves at a granular level without requiring extensive manual investigation. It helps identify bot score anomalies, monitor any model predictions or request fields, and deploy new models. The process involves generating labeled datasets for comparison against the model's bot scores, using specializations to focus on dimensions of interest, and integrating monitoring into Cloudflare's bots machine learning platform.
Feb 16, 2024
2,284 words in the original blog post.
In March 2023, Cloudflare introduced its Brand and Phishing Protection suite, beginning with Brand Domain Name Alerts to detect confusable domains that can be nearly indistinguishable from their authentic counterparts. Today, the company expands this toolkit with Logo Matching, a feature that allows brands to detect unauthorized logo usage by notifying users when Cloudflare detects their logo on an unauthorized site. This helps organizations defend against phishing attacks and protect their brand's reputation. The new Logo Matching feature is built upon the Brand Protection API, which enables users to submit logos for scanning and orchestrates the complex matching process. In the future, Cloudflare plans to add enhancements like automated cease and desist letters for swift legal action against unauthorized logo use and proactive domain monitoring upon onboarding.
Feb 15, 2024
1,025 words in the original blog post.
Cloudflare, a global network spanning over 310 cities in more than 120 countries, has launched the Authorized Service Delivery Partner (ASDP) program to provide diverse and robust service delivery landscape. The ASDP partners are authorized by Cloudflare to operate in distinct domains, reflecting their commitment to diversity and excellence in service delivery. These partners have been carefully curated for their expertise in various fields such as application services, Zero Trust, networking, edge service categories, and more. They play a crucial role in tailoring Cloudflare's offerings to the nuanced needs of customers worldwide. The company is looking forward to expanding its ASDP partner portfolio and enhancing its service partner program with new specializations for MSPs, solution factory featuring service blueprints, partner skillboost program, and elevating service quality in 2024.
Feb 14, 2024
2,127 words in the original blog post.
Cloudflare has launched a program for certified Zaraz developers to assist customers with setting up and managing third-party tools on their websites using Zaraz. The certified developers have undergone extensive training and passed an examination to demonstrate their expertise in the tool. These developers are available to help with migration, configuration, and ongoing support. Additionally, Cloudflare has made a majority of the course materials used for training available online for free through its YouTube playlist for the Zaraz Developer Certification Program.
Feb 13, 2024
493 words in the original blog post.
The article discusses the impact of Super Bowl LVIII on internet traffic, focusing on advertisements, food delivery services, social media, sports betting, and local trends in Kansas City and San Francisco. It highlights that while URLs are less common in ads, they still drive significant traffic to associated websites. Food delivery app traffic remained constant during the game, with a spike when the DoorDash advertisement aired. Social media saw increased activity during major plays and halftime show. Sports betting site traffic remained above baseline throughout the game except for halftime. The article also notes that email threats related to Super Bowl/football, sports media/websites, sports gambling, and food delivery rose in the weeks leading up to the event.
Feb 12, 2024
2,524 words in the original blog post.
Cloudflare has successfully defeated patent trolls Sable IP and Sable Networks in court after three years of litigation. The jury found that Cloudflare did not infringe on the patent asserted against it, and also determined that the patent claim was invalid and should never have been granted. This marks another win for Cloudflare's Project Jengo, which crowdsources prior art to help fight patent trolls. Since launching this round of Project Jengo, Cloudflare has awarded $70,000 in prizes to participants who submitted strong prior art. The company plans to distribute the remaining $30,000 after concluding the case per the Project Jengo Rules.
Feb 12, 2024
1,893 words in the original blog post.
Cloudflare has developed three solutions to solve the problem of port selection performance bottlenecks in TCP connections:
1. The "select, test, repeat" solution involves creating a socket and trying to connect repeatedly with different source IP addresses until a free port is found. This method can be time-consuming.
2. The second solution is called "select port by random shifting range". It generates a random offset within the ephemeral port range and then tries to bind to that shifted range. If it fails, it shifts the range again randomly until a free port is found.
3. The third solution involves using a new patch introduced in kernel versions 6.8 and later. This solution eliminates the need for window shifting and instead uses a similar approach to "select port by random shifting range" such that the start offset is randomized to be even or odd, but then loops incrementally rather than skipping every other port.
The user space implementation of these solutions results in better performance compared to TCP's default behavior. The kernel solution performs slightly faster due to algorithm improvements and the ability to always find a port given the full search space of the range. These solutions can help improve the connect() latency for workloads with high numbers of unicast egress connections.
In addition, other protocols such as UDP and DCCP also benefit from these port selection strategies, although they may have some differences in how ports are selected and managed. It is recommended to explore and measure your own systems to determine which strategy works best for your specific needs.
Feb 08, 2024
2,902 words in the original blog post.
The traditional definition of Secure Access Service Edge (SASE) as the combination of Security Service Edge (SSE) and Software-Defined Wide Area Networking (SD-WAN) is insufficient, leading to performance and security tradeoffs. Single-vendor SASE is a critical trend that aims to converge disparate security and networking technologies. Cloudflare has launched updates to its SASE platform, Cloudflare One, to further the promise of single-vendor SASE architecture. These updates include flexible on-ramps for site-to-site connectivity, new WAN-as-a-service (WANaaS) capabilities, and Zero Trust connectivity for DevOps. The Magic WAN Connector is a lightweight device that customers can use to establish zero-touch connectivity to Cloudflare One, replacing other networking hardware such as legacy SD-WAN devices, routers, and firewalls.
Feb 07, 2024
2,447 words in the original blog post.
Cloudflare has announced the release of several new machine learning (ML) models that developers can use with its Workers AI platform. The newly added models include Whisper, a large language model developed by OpenAI; GPT-J, an open-source alternative to GPT-3 from EleutherAI; and Pythia, a suite of foundation models from EleutherAI. Additionally, Cloudflare has updated its existing Llama 2 model with support for the AI21 J-1 and Text-Davinci-002 models.
The new ML models are designed to improve natural language processing (NLP) capabilities within applications built using Cloudflare's Workers platform. By providing developers with access to state-of-the-art language processing tools, these updates enable the creation of more advanced and sophisticated AI applications.
To help developers get started with these new models, Cloudflare has also released a set of developer documentation outlining how to use each model within their applications. This includes detailed explanations of each model's capabilities and limitations, as well as code examples demonstrating best practices for integrating them into custom workflows.
Overall, this update represents a significant expansion of Cloudflare's ML offerings, making it easier than ever before for developers to build powerful AI-driven applications at scale.
Feb 06, 2024
1,251 words in the original blog post.
In September 2022, a sophisticated threat actor targeted Cloudflare's network. The attacker compromised an employee's personal computer and gained access to the company's systems through the employee's VPN connection.
The intruder then used their access to move laterally within Cloudflare's network, escalate privileges, and ultimately steal sensitive data from several internal systems. Although the attacker managed to exfiltrate some information, no customer data was compromised during this incident.
Cloudflare immediately launched an investigation into the breach, collaborating with external cybersecurity firms like CrowdStrike. The company identified multiple indicators of compromise (IOCs) associated with the threat actor and took steps to mitigate any potential future attacks.
In response to the breach, Cloudflare implemented various security improvements across its infrastructure, including enhancing employee training on best practices for securing their personal devices, strengthening access controls, and improving detection capabilities. Additionally, the company conducted a thorough review of its incident response processes and made necessary adjustments to ensure better preparedness against future cyberattacks.
The Cloudflare security breach serves as a reminder that even highly secure organizations can fall victim to sophisticated threat actors. It highlights the importance of maintaining strong security postures through regular assessments, continuous monitoring, and prompt incident responses.
Feb 01, 2024
2,850 words in the original blog post.