Turning Cloudflare’s threat indicators into real-time WAF rules
Cloudflare’s Threat Events provides security analysts with a window into the global threat landscape. The platform offers a peek into the immense traffic that Cloudflare processes every day, so you can see in real time which IPs are attacking specific industries or which threat actors are trending globally. However, translating that visibility into active mitigation has often been a manual, reactive process.
Security teams have faced a recurring frustration: knowing that certain IP addresses were associated with specific threat actors (like Tycoon 2FA or RaccoonO365) or had been seen targeting their specific industry in other regions, but they couldn't easily automate the blocking of these high-risk IPs within their own WAF unless they manually configured the rules.
We are excited to announce a new integration that brings Cloudflare’s vast threat intelligence directly into your WAF engine: you can now write proactive rules using live intelligence data. This means you can add more intelligence context to protect your application against known bad actors — before they even attempt to touch your infrastructure.
By populating specialized fields during the early stages of a request, the WAF can now screen traffic based on:
Who is attacking by matching specific threat actor Continue reading
netlab 26.06: OSPFv3 on FortiOS, MPLS/VPN on SR Linux
netlab release 26.06 adds OSPFv3 support on FortiOS (by @a-v-popov) and MPLS/VPN support on SR Linux. We also ensured the installation scripts work on Ubuntu 26.04 (everything else was OK) and updated the installed Vagrant version to 2.4.9 (we’re not using new Vagrant features; you don’t have to upgrade it in an existing installation).
Other than that, we added a few improvements and squashed a number of bugs.
Upgrading or Starting from Scratch?
- To upgrade your netlab installation, execute
pip3 install --upgrade networklab. - New to netlab? Start with the Getting Started document and the installation guide.
- Need help? Open a discussion or an issue in netlab GitHub repository.
Evolusi Teknologi Energy Buffer untuk Efisiensi Kendaraan Masa Depan
Di tengah percepatan inovasi otomotif, teknologi kendaraan terus mengalami perkembangan signifikan untuk mendukung efisiensi energi dan keberlanjutan. Salah satu terobosan yang mulai populer adalah energy buffer berbasis teknologi pintar yang mampu mengelola energi secara optimal dalam kendaraan masa depan. Artikel ini akan membahas evolusi teknologi intelligent energy buffer dan peran vitalnya dalam transformasi kendaraan modern.
Apa Itu Energy Buffer?
Energy buffer adalah sistem penyimpanan energi sementara yang berfungsi untuk menstabilkan dan mengoptimalkan distribusi energi pada kendaraan. Sistem ini membantu dalam menyimpan energi saat kelebihan daya dan melepaskannya kembali saat kebutuhan energi meningkat, sehingga memastikan konsumsi yang lebih efisien dan mengurangi pemborosan energi.
Dalam konteks kendaraan, energy buffer biasanya diintegrasikan dengan baterai utama dan sistem regenerasi energi, seperti pengereman regeneratif pada kendaraan listrik dan hybrid. Fungsi utamanya adalah meningkatkan performa kendaraan sekaligus mengurangi emisi.
Peran Teknologi Kendaraan dalam Meningkatkan Efisiensi Energi
Seiring perkembangan teknologi kendaraan, kebutuhan untuk mengoptimalkan penggunaan energi semakin mendesak. Energi yang efisien tidak hanya mengurangi konsumsi bahan bakar tetapi juga memperpanjang umur kendaraan dan komponen pendukungnya.
Intelligent energy buffer hadir sebagai solusi cerdas dengan fitur-fitur seperti:
- Manajemen Energi Otomatis: Mengatur aliran energi secara real-time sesuai kebutuhan pengemudi dan kondisi jalan.
- Integrasi dengan Sistem Kendaraan Lain: Berfungsi bersama ECU Continue reading
Potensi Industri Produk Turunan Singkong untuk Meningkatkan Ekonomi Desa
Singkong merupakan salah satu tanaman pangan yang memiliki peranan penting dalam ketahanan pangan di Indonesia. Selain mudah dibudidayakan, singkong juga tahan terhadap berbagai kondisi lingkungan, sehingga sangat potensial untuk dikembangkan sebagai bahan baku industri pangan. Dalam beberapa tahun terakhir, industri produk olahan singkong mulai menunjukkan perkembangan yang signifikan, memberikan peluang besar untuk meningkatkan nilai tambah dan mendongkrak ekonomi desa.
Mengapa Singkong Menjadi Bahan Baku Unggulan?
Singkong memiliki banyak keunggulan dibandingkan dengan tanaman pangan lainnya:
- Ketersediaan melimpah: Singkong dapat tumbuh hampir di seluruh wilayah Indonesia, termasuk daerah-daerah dengan kondisi tanah kurang subur.
- Mudah diolah: Singkong dapat diolah menjadi berbagai produk olahan yang bernilai jual tinggi.
- Nilai gizi yang baik: Sebagai sumber karbohidrat, singkong juga kaya akan serat dan beberapa jenis mineral.
- Tahan lama: Produk olahan singkong biasanya memiliki masa simpan lebih lama dibandingkan singkong segar.
Karena alasan di atas, singkong sangat potensial untuk diangkat menjadi bahan baku utama dalam industri pangan yang dapat memberikan dampak positif bagi perekonomian lokal.
Ragam Produk Olahan Singkong dalam Industri Pangan
Industri produk turunan singkong telah berkembang cukup luas dengan berbagai inovasi produk olahan yang menarik, antara lain:
- Tepung singkong: Digunakan sebagai bahan baku pengganti tepung terigu, terutama bagi yang alergi Continue reading
Best of the Hedge: Episode 15, Supporting Open Source
Many companies rely on open source, regardless of whether or not they realize it. In this best of the Hedge episode, Alistair Woodman joins Russ White and Tom Ammon to talk about not only why you should support the open source projects you use, but how you can.
@nbsp;
download
$nbsp;
Reposting a classic episode this week because I was out of town and didn’t get around to editing an episode.
HN830: Tailscale CEO on WireGuard, Zero Trust, and Securing AI (Sponsored)
If you think Tailscale is just a VPN for the home lab, think again. On today’s sponsored episode Ethan and Drew are joined by Tailscale CEO Avery Pennarun. Avery explains how the company has evolved into an enterprise-grade connectivity and security platform. He also dives into Tailscale Aperture, their new AI gateway designed to bring... Read more »TNO064: The Realities of Running SONiC at Scale
Scott is joined by Brett Lykins, a Senior Systems Development Engineer at Amazon. Brett works with software-defined infrastructure built around SONiC (Software for Open Networking in the Cloud). Together they dig into what it’s actually like to use, maintain, and operate a network this way. They also discuss not just the architecture, but the day-to-day... Read more »Your AI bill is out of control. Cloudflare can fix it now.
There isn't a CIO on the planet not worried about AI spend right now. CFOs are increasingly nervous, too.
For fear of falling behind, many companies have pushed their employees to use AI as aggressively as possible. The edict was clear: "Move fast, we'll figure out the bill later." And for the most part, it worked: AI has been genuinely transformational for the teams that leaned in.
But the costs are real: we’ve heard countless horror stories of huge bills and painful overages on token spend.
Today, we're announcing spend controls in Cloudflare AI Gateway, and a closed beta for identity-driven budgets and routing using Cloudflare Access and your existing identity provider.
As we’ve spoken with hundreds of companies about their AI strategy, we’ve seen a common story: The company gives every engineer access to frontier models through a shared API key. Usage takes off. At the end of the month, finance pulls the invoice and nobody can explain where the money went. Was it the machine learning team training a new pipeline? Was it an intern running Claude Opus on email triage? Was it a runaway continuous integration job that burned through 50 million tokens in a weekend? Continue reading
Lab: Implementing VRF-Lite with VXLAN
Did you know that you can implement a VRF-Lite design with VXLAN? All you need are devices that can run VRF routing protocols over VXLAN-backed VLAN segments.
Compared to the “traditional” VRF-Lite design, in which you need a set of VLANs on every link and every device running the routing protocol for every VRF, the VXLAN-based design needs just IP routing on the core switches, resulting in a design that’s pretty close to what we were building with DMVPN (without IPsec and NHRP complications).
LIU016: Michael Keith Lewis: The Network Behind the Show
Today’s guest takes us behind the scenes of modern concert venues, which rely on wired and wireless IP networking. Michael Keith Lewis is a front-of-house engineer, tour manager, audio creator, and co-founder of Truck Packer. Michael shares his career path from starting in a church, quitting a salaried job to tour with his favorite band,... Read more »VoidZero is joining Cloudflare
VoidZero, the company behind Vite, Vitest, Rolldown, Oxc, and Vite+, is joining Cloudflare. As part of this change, all team members of VoidZero are joining Cloudflare, too.
Before saying anything else, we want to make the most important thing clear: Vite, Vitest, Rolldown, Oxc, and Vite+ will stay open source, vendor-agnostic, and community-driven. Nothing about that changes.
Cloudflare's mission is to help build a better Internet. And a better Internet is an open Internet. Developers need choice, frameworks need a neutral foundation, and applications need to be portable. It is not reasonable to expect the entire web ecosystem to build around a single vendor. The most important tools and frameworks are portable by design.
Vite is one of the few foundational tools that the whole JavaScript ecosystem agrees on. It earned that position by being fast, excellent, portable, and vendor-neutral. One of the best ways Cloudflare can help build a better Internet is by investing in that foundational open source toolchain. A toolchain that makes the Internet better for everyone, not just people who use Cloudflare or choose to host with us.
Over the last few years we've invested heavily in making Cloudflare the best Continue reading
TP-Link Archer A1800 TX20U Plus on Raspberry
Do you need better Wi-Fi for your Raspberry Pi 3 Model B? The built-in Wi-Fi […]
The post TP-Link Archer A1800 TX20U Plus on Raspberry first appeared on Brezular's Blog.
Using netlab to Argue with Vendor TAC
A happy netlab user sent me an unexpected use case: they successfully used its multi-vendor capabilities to argue with a vendor TAC. Here’s the gist of the story (edited/anonymized for obvious reasons):
They deployed a configuration change that resulted in an unexpected outage. The outage partially disrupted the data center network, so they didn’t have the luxury of collecting data and reproducing the issue, as they had to roll back the change as expeditiously as possible.
Multi-Layer Policy for Securing AI Agents
As part of our work at Tigera building products that create secure runtime environments for enterprise agents at scale in the real world, one small part of this puzzle I think about a lot is policy, and runtime enforcement of policy, and how to create a comprehensive secure runtime, configured from one place. The more companies we talk to trying to lock down and secure these platforms at runtime, the more I believe AI Agent security needs policy in multiple places, not just one (e.g., not just at the gateway layer), and ideally expressed in the same policy language.
At the L7 gateway layer, every agent call is observable: who is calling, what they are calling, what attributes both sides carry, what the requested action is. This is where you decide whether an agent should be permitted to talk to a particular MCP server, invoke a particular tool, delegate to another agent, or call a particular LLM. The atoms of policy here are identity, action, resource, and context.
At the agent runtime layer, or kernel layer in a container, what the agent does inside its own runtime is observable: syscalls, file access, library loads, network connections that bypass Continue reading
NAN124: AI and Trust in Modern Network Automation
Sif Baksh joins Eric Chou to share his professional experience and resources to help engineers get their arms around using AI in network automation. They discuss practical advantages of AI over standard Python scripts and the risks and benefits of vibe coding for prototyping. Sif also breaks down the P.E.N.E. framework, a structure for writing... Read more »Enforcing the First AS in BGP AS_PATHs
Some recent route hijacks reported by Spamhaus captured our attention. In many of these hijack attempts, an apparent bad actor took advantage of unused autonomous system numbers, or ASNs. Notably in these hijacks, the actor appears to be creating fake AS_PATHs toward destinations, misdirecting traffic down an unexpected path.
By creating forged AS_PATHs, the hijacker is attempting to lead traffic somewhere it isn’t normally meant to go while also trying to conceal their identity. A hijacker could strip enough information away from a network path that they could pretend to be the origin of a Border Gateway Protocol (BGP) prefix themselves. Attackers can use this hijacked route to intercept traffic and for other nefarious purposes.
There is a simple solution for these cases: basic verification that a BGP peer autonomous system (AS) always includes their network as the “First AS” in an advertised route. To get a sense of how well these safeguards are implemented, we stress-tested several major networks and researched their BGP implementations. Read on to see what we learned.
The idea that an actor is creating fake AS_PATHs is supported when we take a closer look at implausible AS Continue reading
TCG077: News Roundtable: Data Center Backlash and the AI Chip War
William and Eyvonne discuss recent tech news, including the growing political and community opposition to AI data centers driven by fears over power and water usage. They also analyze the “AI Chip War” as hyperscalers such as AWS and Google invest in specialized silicon for training and inference. Episode Links: Amid backlash, O’Leary Digital CEO... Read more »EVPN Centralized Routing with Arista EOS
A month ago, I described ARP issues in EVPN centralized routing design, and Naveen Kumar Devaraj was kind enough to add some Arista EOS implementation details. Today, let’s explore what EVPN routes Arista EOS generates in that scenario. We’ll use a very simple lab topology with a spine switch acting as a router. The leaf switches are layer-2 switches.
Packet forwarding in centralized routing design