Forget IPs: using cryptography to verify bot and agent traffic
With the rise of traffic from AI agents, what’s considered a bot is no longer clear-cut. There are some clearly malicious bots, like ones that DoS your site or do credential stuffing, and ones that most site owners do want to interact with their site, like the bot that indexes your site for a search engine, or ones that fetch RSS feeds.
Historically, Cloudflare has relied on two main signals to verify legitimate web crawlers from other types of automated traffic: user agent headers and IP addresses. The User-Agent header allows bot developers to identify themselves, i.e. MyBotCrawler/1.1. However, user agent headers alone are easily spoofed and are therefore insufficient for reliable identification. To address this, user agent checks are often supplemented with IP address validation, the inspection of published IP address ranges to confirm a crawler's authenticity. However, the logic around IP address ranges representing a product or group of users is brittle – connections from the crawling service might be shared by multiple users, such as in the case of privacy proxies and VPNs, and these ranges, often maintained by cloud providers, change over time.
Cloudflare will always try to block malicious bots, but Continue reading
N4N026: What Is a Tunnel?
Let’s dig into tunnels. While some network engineers may want to quibble, a tunnel is when you put one packet inside of another packet to carry it across a network (frames also come into the picture, so hold off on your follow-ups for now). On today’s N Is For Networking, Ethan and Holly explore this... Read more »D2DO272: The Physics of DevOps
How do you measure developer performance and productivity? On today’s Day Two DevOps, we look at different methods with guest Laura Tacho, the CTO at DX. We explore industry benchmarks such as the DORA report, SPACE, and DevEx. Laura also introduces us to Core 4, a project she’s been working on that provides a new... Read more »Response: CLI Is an API
Andrew Yourtchenko and Dr. Tony Przygienda left wonderful comments to my Screen Scraping in 2025 blog post, but unfortunately they prefer commenting on a closed platform with ephemeral content; the only way to make their thoughts available to a wider audience is by reposting them. Andrew first:
I keep saying CLI is an API. However, it is much simpler and an easier way to adapt to the changes, if these three conditions are met:
Creating, Modifying, and Deleting Data in Infrahub Using the Python SDK
The Infrahub Python SDK allows you to interact with Infrahub programmatically and can be used to query, create, modify, and delete data. In a previous blog post, we looked at how to query data using the Python SDK and explored various examples, including filters, relationships, and how to retrieve related data.
Originally published under - https://www.opsmill.com/infrahub-python-sdk-create-modify-delete/
In this post, we’ll focus on how to create, modify, delete and upsert data using the SDK. We’ll walk through practical examples that show how to add new resources, update existing ones, and delete data from Infrahub.
Throughout this post, we’ll be using the Infrahub sandbox, which is freely available. The sandbox already has some data in it, so if you’d like to follow along or try this yourself, you can use it without needing to set up anything.
Initial Setup
In the previous post, we covered the basics of using the Python SDK, including how to install it and set up the client object. If you’re new to the SDK, I recommend going back to that first article to start from the install.
To get started today, I’ve generated an API token on the Infrahub demo instance Continue reading
PP062: Hunting for Host Security and Performance Issues with Stratoshark
Stratoshark is a new tool from the Wireshark Foundation that analyzes system calls on a host. Network, security, and application teams can use Stratoshark to diagnose performance issues and investigate behavior that may indicate malware or other compromises of the host. On today’s Packet Protector we talk with Gerald Combs of the Wireshark Foundation about... Read more »HW052: How Capable Is My Wi-Fi Client?
Today on Heavy Wireless we welcome Francois Verges, who designed a database tool to help Wi-Fi engineers easily find client device capabilities. It provides quick access to key specs like data rates, Wi-Fi versions, and vendor documentation. It’s designed to be a go-to option when looking for Wi-Fi client specifications. We discuss why he developed... Read more »NB526: Cisco Unveils Quantum Networking Prototype; Arista Earns Record Revenues
Take a Network Break! We start with follow-up from a listener on the best way to listen to our podcast that helps the most. The answer? Any listen on any platform helps. Even better is to tell a friend! We discuss two critical security issues. First, CISA adds active exploits against known SonicWall vulnerabilities to... Read more »Tech Bytes: Sharpen Your Wireshark Skills at SharkFest’25 US (Sponsored)
SharkFest is the twice-yearly conference where Wireshark users and trainers gather to learn, share, and improve their packet and protocol analysis skills. The US version of SharkFest’25 is June 14 -19 in Richmond, VA. Gerald Combs of the Wireshark Foundation is here to tell us about why this live event needs to be on your... Read more »netlab 2.0.0: Hosts, Bridges, and SRv6
netlab release 2.0.0 is out. I spent the whole week fixing bugs and running integration tests, so I’m too brain-dead to go into the details. These are the major features we added (more about them in a few days; the details are in the release notes):
- Well-defined node roles (host, router, bridge) are now available on multiple platforms
- The firewall.zonebased plugin allows you to configure a rudimentary firewall
- SRv6: BGP L3VPN support is now available for FRRouting, so you can go out and kick its (free) tires.
- bridge nodes can be used as simple bridges or to implement multi-access links
- netlab defaults command provides sysctl-like CLI interface to user/system defaults.
Other changes include:
HN780: The Whys and Hows of Automated Network Testing
On today’s Heavy Networking we talk with Dan Wade about testing the network, inspired by Dan’s talk at AutoCon 2: “Step 0: Test the Network.” We discuss why testing is a good idea, and then explore four types of network testing, including unit tests and integration tests. We dig into Yang, RESTCONF, NETCONF and gNMI... Read more »TNO028: Move From Monitoring to Full Internet Stack Observability: New Strategies for NetOps (Sponsored)
Network monitoring, Internet monitoring, and observability are all key components of NetOps. We speak with sponsor Catchpoint to understand how Catchpoint can help network operators proactively identify and resolve issues before they impact customers. We discuss past and current network monitoring strategies and the challenges that operators face with both on-prem and cloud monitoring, along... Read more »TL013: The Process Communication Model: An Algorithm for Effective Communication
On this episode of Technically Leadership, we’re joined by Aleksandra Lemańska to learn about the Process Communication Model (PCM), a framework for enhancing communication. Alex calls PCM an algorithm for people, and it can be useful for improving interactions with engineers and technical folks operating in high-stress environments. We talk about how PCM works, understanding... Read more »First-party tags in seconds: Cloudflare integrates Google tag gateway for advertisers
If you’re a marketer, advertiser, or a business owner that runs your own website, there’s a good chance you’ve used Google tags in order to collect analytics or measure conversions. A Google tag is a single piece of code you can use across your entire website to send events to multiple destinations like Google Analytics and Google Ads.
Historically, the common way to deploy a Google tag meant serving the JavaScript payload directly from Google’s domain. This can work quite well, but can sometimes impact performance and accurate data measurement. That’s why Google developed a way to deploy a Google tag using your own first-party infrastructure using server-side tagging. However, this server-side tagging required deploying and maintaining a separate server, which comes with a cost and requires maintenance.
That’s why we’re excited to be Google’s launch partner and announce our direct integration of Google tag gateway for advertisers, providing many of the same performance and accuracy benefits of server-side tagging without the overhead of maintaining a separate server.
Any domain proxied through Cloudflare can now serve your Google tags directly from that domain. This allows you to get better measurement signals for your website and can enhance your Continue reading
N4N025: DHCP – Someone Get Me an Address!
The Dynamic Host Configuration Protocol (DHCP) assigns an IP address to a host that joins a network, along with other information necessary for the host to communicate. DHCP also has more to it, so this week’s episode is meant to be a solid introduction to this essential network protocol. We first discuss what it is... Read more »Forwarding Packets Across a Network
After inspecting the confusing bridging/routing/switching terminology and a brief detour into the control/data plane details, let’s talk about how packets actually move across a network.
As always, things were simpler when networks were implemented with a single cable. In that setup, all nodes were directly reachable, and the only challenge was figuring out the destination node’s address; it didn’t matter whether it was a MAC address, an IP address, or a Fiber Channel address. On a single cable, you could just broadcast, like, “Who has this service?” and someone would reply, “I’m the printer you’re looking for.” That’s how many early non-IP protocols operated.
Resilience in the RPKI
I would like to look at the ways in which the operators of the number Resource Public Key Infrastructure (RPKI) have deployed this infrastructure in a way that maximises its available and performance and hardens it against potential service interruptions, or in other words, an examination of the resilience of the RPKI infrastructure.NAN091: The Future of Autonomous Networking With Jeff Doyle
Today’s guest is Jeff Doyle, an expert in the networking industry with over 30 years of experience as a consultant, instructor, architect, author, and speaker. Eric chats with Jeff about his background and how he got into networking (spoiler: it was not a computer science degree!). The conversation explores Jeff’s current work and delves into... Read more »QUIC restarts, slow problems: udpgrm to the rescue
At Cloudflare, we do everything we can to avoid interruption to our services. We frequently deploy new versions of the code that delivers the services, so we need to be able to restart the server processes to upgrade them without missing a beat. In particular, performing graceful restarts (also known as "zero downtime") for UDP servers has proven to be surprisingly difficult.
We've previously written about graceful restarts in the context of TCP, which is much easier to handle. We didn't have a strong reason to deal with UDP until recently — when protocols like HTTP3/QUIC became critical. This blog post introduces udpgrm, a lightweight daemon that helps us to upgrade UDP servers without dropping a single packet.
Here's the udpgrm GitHub repo.
In the early days of the Internet, UDP was used for stateless request/response communication with protocols like DNS or NTP. Restarts of a server process are not a problem in that context, because it does not have to retain state across multiple requests. However, modern protocols like QUIC, WireGuard, and SIP, as well as online games, use stateful flows. So what happens to the state associated with a flow when a server process is Continue reading
Screen Scraping in 2025
Dr. Tony Przygienda left a very valid (off-topic) comment to my Breaking APIs or Data Models Is a Cardinal Sin blog post:
If, on the other hand, the customers would not camp for literally tens of years on regex scripts scraping screens, lots of stuff could progress much faster.
He’s right, particularly from Juniper’s perspective; they were the first vendor to use a data-driven approach to show commands. Unfortunately, we’re still not living in a perfect world: