Heuristics and Rules: Why We Built a New Old WAF

We just rolled out an update to CloudFlare’s Web Application Firewall (WAF). Previously, CloudFlare’s WAF has received criticism from people who have tested it and found that it didn’t behave as traditional WAFs are expected to. That contrasted with the real world experience of users who saw our WAF virtually eliminate actual web threats. Seemingly […]

DDoS Prevention: Protecting The Origin

One of the many great features that CloudFlare provides is protection from Distributed Denial of Service (DDoS) attacks. A malicious party who wants to make your website or web service unavailable could try to overwhelm it with requests from compromised machines (or bots) all around the world. With a large enough volume of requests, your […]

Government Surveillance: Why Transparency Matters

The web is one of the greatest inventions of human history because it has made the world more transparent. Fundamentally, that’s what the web does: it takes information that was inaccessible and opaque and makes it available and lucid. At CloudFlare, our mission is to build a better web. We hire great engineers to invent […]

Staying on top of TLS attacks

CloudFlare makes extensive use of TLS connections throughout our service which makes staying on top of the latest news about security problems with TLS a priority. We use TLS both externally and internally and different uses of TLS have different constraints. Broadly there are three ways we use TLS: to handle HTTPS connections from web […]

Mirage 2.0: Solving the Mobile Browsing Speed Challenge

Almost exactly a year ago, CloudFlare announced a feature called Mirage. Mirage was designed to make the loading of images faster in two primary ways: 1) deliver smaller images for devices with smaller screens; and 2) “lazy load” images only when they appeared in the viewport. Both of these optimizations were designed primarily to accelerate […]

CloudFlare, PRISM, and Securing SSL Ciphers

Over the last week we’ve closely watched the disclosures about the alleged NSA PRISM program. At CloudFlare, we have never been approached to participate in PRISM or any other similar program. We do, from time to time, receive subpoenas and court orders. A human being on our team reviews each of these requests manually. When […]

What CloudFlare Logs

Over the last few weeks, we’ve had a number of requests for information about what data CloudFlare logs when someone visits a site on our network. While we have provided a Privacy Policy that outlines how we keep information private, I wanted to take the time to clarify our customer log retention policies. What CloudFlare […]

WordPress Botnet Brute Force Attacks

The huge brute force attack that took place earlier this month on WordPress sites around the globe is believed to have been the result of a massive “super botnet” conglomerate of computers, distributed across over 90,000 IP addresses. In the wake of the attack, concerns have been voiced that future use of this “super botnet” […]

Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack

There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username “admin” and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of […]

The DDoS That Almost Broke the Internet

The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending […]