Get better visibility for the WAF with payload logging
As the surface area for attacks on the web increases, Cloudflare’s Web Application Firewall (WAF) provides a myriad of solutions to mitigate these attacks. This is great for our customers, but the cardinality in the workloads of the millions of requests we service means that generating false positives is inevitable. This means that the default configuration we have for our customers has to be fine-tuned.
Fine-tuning isn’t an opaque process: customers have to get some data points and then decide what works for them. This post explains the technologies we offer to enable customers to see why the WAF takes certain actions — and the improvements that have been made to reduce noise and increase signal.
Cloudflare’s WAF protects origin servers from different kinds of layer 7 attacks, which are attacks that target the application layer. Protection is provided with various tools like:
Managed rules, which security analysts at Cloudflare write to address common vulnerabilities and exposures (CVE), OWASP security risks, and vulnerabilities like Log4Shell.
Custom rules, where customers can write rules with the expressive Rules language.
Rate limiting rules, malicious uploads detection Continue reading
IOS/XR Route Redistribution Configuration Mess
One would hope that the developers of a network operating system wouldn’t feel the irresistible urge to reinvent what should have been a common configuration feature for every routing protocol. Alas, the IOS/XR developers failed to get that memo.
I decided to implement route redistribution (known as route import in netlab) for OSPFv2/OSPFv3, IS-IS, and BGP on IOS/XR (Cisco 8000v running IOS/XR release 24.4.1) and found that each routing protocol uses a different syntax for the source routing protocol part of the redistribute command.
Hedge 289: Containerlab
If you are struggling with building labs on lighter weight systems–or if you’re just interested in what Containerlab is and does–join Rick, Roman, and Russ for this discussion of what Containerlab is, what it does, and where its going.
TNO050: Resiliency and Transparency with Andy Lapteff
Today Scott interviews Andy Lapteff. He opens up about his non-linear career path, starting from a working class background and his physical jobs in telecom to becoming a senior product marketing manager and podcaster. Join us as Andy shares candid stories of how he developed his resilience and the heartwarming origin story for the Art... Read more »HN806: Let’s Get NUTS!
Unit testing is a software development practice for checking that an individual component of code works before integrating that unit with other components in a larger program. A new open source project called Network Unit Testing System, or NUTS, brings the same concept to network automation. The big idea is that by incorporating unit tests into... Read more »Public Videos: Bridging with EVPN
The EVPN in the Data Center and Bridging with EVPN parts of the EVPN webinar, featuring Dinesh Dutt, are now available without a valid ipSpace.net account. Enjoy!
IPB188: IPv6 Adoption for an Entire Country
What does it take for an entire country to adopt IPv6? Our guest today is Tenanoia (Noia) Simona, CEO of Tuvalu Telecommunications Corporation, the country’s sole telecommunications provider. She’s here to walk us through the difficulties of connecting the many islands of Tuvalu and their journey to achieving one of the world’s highest IPv6 adoption... Read more »N4N043: Redundancy vs. High Availability Part 1
In today’s chat, Holly and Ethan consider a question from listener Douglas who asks, “How do you approach designing a network for high availability and redundancy?” They start by defining differences between redundancy and high availability, and talk about Holly’s experience with her own customers. Then they share examples of how to achieve redundancy in... Read more »Building VXLAN/EVPN Data Center Lab with netlab
Dmitry Klepcha published an excellent document describing how you can use netlab to build a series of data center fabric labs, starting from a simple IP network (without routing) and finishing with a complex EVPN/VXLAN network using symmetric IRB and MLAG toward hosts.
But wait, there’s more: all the lab topologies he used in his exercises are available on GitHub, which means that you could just clone the repo and start using them (I also “borrowed” some of his ideas as future netlab improvements).
Finally, thanks a million to Roman Pomazanov for bringing Dmitry’s work to my attention (and for the quote at the end of his post ;).
D2DO287: Leveling Up in Data Science
Ever wonder what it takes to level up your career in data science? Senior Data Scientist Darya Petrashka joins Ned and Kyler to share her personal journey from management and linguistics into data science, the real difference between a junior and a senior role, and helps us get under the “data science umbrella” to see... Read more »Interesting: an MCP Agent for Link-State Routing Protocols
Vadim Semenov created a nice demo that allows you to use an LLM to query the collected link-state graphs through an MCP agent (SuzieQ would probably be faster and easier to deploy, but hey, AI).
If you want to kick the tires, you’ll find the source code on GitHub (Network AI assistant, MCP server for Topolograph service). You’ll also need Vadim’s previous projects: Topolograph and OSPF watcher or IS-IS watcher.
HW065: Using Orb to Monitor the Quality of Your Internet Connections
With the help of Josh Hardy, Co-Founder and CTO of Orb, we introduce Orb. Orb is a suite app for OS, Android, macOS, Windows, Linux that is a new way to look at your internet connectivity. Josh gives us a little background on why and how Orb was created, He then goes into more detail... Read more »PP087: Why SBOMs Are Cooler and More Useful Than You Think
Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »HS117: Environmental, Social and Governance Initiatives: What That Means for Your Organization (Sponsored)
Environmental, Social, Governance (ESG) initiatives aren’t just “the right thing to do”, they can also save companies real dollars, particularly if they’re investing in data centers and other infrastructure. Join Jonathan Ciccio, Continuous Improvement Manager for The Siemon Company, as we discuss The Siemon Company’s ESG initiatives. The Siemon Company has been in business for... Read more »
Multi-Pod EVPN Troubleshooting: Fixing Next Hops
Last month, I wrote about the specifics of troubleshooting multi-pod EVPN designs. Today, I’d like to start a journey through an example in which (channeling my inner CCIE preparation lab instructor) I broke as many things as I could think of.
Here’s the lab topology we’ll use (and as usual, the corresponding netlab topology file and device configurations are on GitHub). Our network has two sites (pods), each with a spine switch, a leaf switch, and a host attached to the leaf switch. The inter-pod link is connected to the spine switches to minimize the number of devices.
Cloudflare outage on November 18, 2025
On 18 November 2025 at 11:20 UTC (all times in this blog are UTC), Cloudflare's network began experiencing significant failures to deliver core network traffic. This showed up to Internet users trying to access our customers' sites as an error page indicating a failure within Cloudflare's network.
The issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind. Instead, it was triggered by a change to one of our database systems' permissions which caused the database to output multiple entries into a “feature file” used by our Bot Management system. That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.
The software running on these machines to route traffic across our network reads this feature file to keep our Bot Management system up to date with ever changing threats. The software had a limit on the size of the feature file that was below its doubled size. That caused the software to fail.
After we initially wrongly suspected the symptoms we were seeing were caused by a hyper-scale DDoS attack, we correctly identified the core issue and were able Continue reading