Here at Cloudflare, we frequently use and write about data in the present. But sometimes understanding the present begins with digging into the past. We recently learned of a 2024 turkmen.news article (available in Russian) that reports Turkmenistan experienced “an unprecedented easing in blocking,” causing over 3 billion previously-blocked IP addresses to become reachable. The […]
Archive by Author
BGP zombies and excessive path hunting
Here at Cloudflare, we’ve been celebrating Halloween with some zombie hunting of our own. The zombies we’d like to remove are those that disrupt the core framework responsible for how the Internet routes traffic: BGP (Border Gateway Protocol). A BGP zombie is a silly name for a route that has become stuck in the Internet’s […]
Beyond IP lists: a registry format for bots and agents
As bots and agents start cryptographically signing their requests, there is a growing need for website operators to learn public keys as they are setting up their service. I might be able to find the public key material for well-known fetchers and crawlers, but what about the next 1,000 or next 1,000,000? And how do […]
Policy, privacy and post-quantum: anonymous credentials for everyone
The Internet is in the midst of one of the most complex transitions in its history: the migration to post-quantum (PQ) cryptography. Making a system safe against quantum attackers isn’t just a matter of replacing elliptic curves and RSA with PQ alternatives, such as ML-KEM and ML-DSA. These algorithms have higher costs than their classical […]
Anonymous credentials: rate-limiting bots and agents without compromising privacy
The way we interact with the Internet is changing. Not long ago, ordering a pizza meant visiting a website, clicking through menus, and entering your payment details. Soon, you might just ask your phone to order a pizza that matches your preferences. A program on your device or on a remote server, which we call […]
How to build your own VPN, or: the history of WARP
Linux’s networking capabilities are a crucial part of how Cloudflare serves billions of requests in the face of DDoS attacks. The tools it provides us are invaluable and useful, and a constant stream of contributions from developers worldwide ensures it continually gets more capable and performant. When we developed WARP, our mobile-first performance and security […]
One IP address, many users: detecting CGNAT to reduce collateral effects
IP addresses have historically been treated as stable identifiers for non-routing purposes such as for geolocation and security operations. Many operational and security mechanisms, such as blocklists, rate-limiting, and anomaly detection, rely on the assumption that a single IP address represents a cohesive, accountable entity or even, possibly, a specific user or device. But the […]
Measuring characteristics of TCP connections at Internet scale
Every interaction on the Internet—including loading a web page, streaming a video, or making an API call—starts with a connection. These fundamental logical connections consist of a stream of packets flowing back and forth between devices. Various aspects of these network connections have captured the attention of researchers and practitioners for as long as the […]
Defending QUIC from acknowledgement-based DDoS attacks
On April 10th, 2025 12:10 UTC, a security researcher notified Cloudflare of two vulnerabilities (CVE-2025-4820 and CVE-2025-4821) related to QUIC packet acknowledgement (ACK) handling, through our Public Bug Bounty program. These were DDoS vulnerabilities in the quiche library, and Cloudflare services that use it. quiche is Cloudflare’s open-source implementation of QUIC protocol, which is the […]
Helping protect the 2025 Moldova elections
On Sunday, September 28, 2025, the Republic of Moldova held a parliamentary election that was described as a referendum on its geopolitical future. The election was conducted amid claims of Russian interference, both online and offline. Ensuring the security of the election infrastructure was a critical priority, not just to protect the vote count, but […]
