Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers

We're proud to introduce Programmable Flow Protection: a system designed to let Magic Transit customers implement their own custom DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary protocols built on UDP. It is engineered to provide the highest possible level of customization and flexibility to mitigate DDoS attacks of any scale. 

Programmable Flow Protection is currently in beta and available to all Magic Transit Enterprise customers for an additional cost.

Programmable Flow Protection is customizable

Our existing DDoS mitigation systems have been designed to understand and protect popular, well-known protocols from DDoS attacks. For example, our Advanced TCP Protection system uses specific known characteristics about the TCP protocol to issue challenges and establish a client’s legitimacy. Similarly, our Advanced DNS Protection builds a per-customer profile of DNS queries to mitigate DNS attacks. Our generic DDoS mitigation platform also understands common patterns across a variety of other well known protocols, including NTP, RDP, SIP, and many others.

However, custom or proprietary UDP protocols have always been a challenge for Cloudflare’s DDoS mitigation systems because our systems do not have the relevant protocol knowledge to make intelligent decisions to Continue reading

BGP Labs: Use Your Preferred Device for External Routers

TL&DR: With the recent changes to online BGP labs, you can also use Aruba CX, Cisco IOS, Cisco IOS XE, Cisco IOS XR, Dell OS10, Junos, or VyOS as external lab devices in most lab exercises (you could always use these devices for the routers you worked on). Previously, you could choose between Arista EOS and FRRouting, both of which are (obviously) still supported.

One of the goals of the Online BGP Labs project was to create an environment in which you could practice the BGP features you were interested in without spending an inordinate amount of time preparing the lab.

For example, if you want to figure out why BGP wedgies work the way they do, you need at least four additional autonomous systems, two of them acting as upstream ISPs for your customer router, and at least one of them implementing BGP policies using BGP communities.

Read more …

NB568: Arm Reaches for More AI Revenue with In-House CPU; Debating the FCC Router Ban

Take a Network Break! Mozilla is our Red Alert topic, with critical vulnerabilities in Firefox and Thunderbird. On the news front, we cover a string of security announcements from Palo Alto Networks, including a new certificate management service to help organizations keep up with shrinking cert lifetimes. Cisco announces new protections for AI agents and... Read more »

Tech Bytes: Build Your Automation Foundation on Infrahub’s Data Management Platform (Sponsored)

Today on the Tech Bytes podcast we talk network automation. More specifically, we dig into the need for proper data management to support your network automation initiatives. Automation relies on accurate, up-to-date information about your infrastructure, but that information can be scattered across innumerable repositories, systems, and spreadsheets. And it may, or may not, be... Read more »

Cloudflare Client-Side Security: smarter detection, now open to everyone

Client-side skimming attacks have a boring superpower: they can steal data without breaking anything. The page still loads. Checkout still completes. All it needs is just one malicious script tag.

If that sounds abstract, here are two recent examples of such skimming attacks:

  • In January 2026, Sansec reported a browser-side keylogger running on an employee merchandise store for a major U.S. bank, harvesting personal data, login credentials, and credit card information.

  • In September 2025, attackers published malicious releases of widely used npm packages. If those packages were bundled into front-end code, end users could be exposed to crypto-stealing in the browser.

To further our goal of building a better Internet, Cloudflare established a core tenet during our Birthday Week 2025: powerful security features should be accessible without requiring a sales engagement. In pursuit of this objective, we are announcing two key changes today:

First, Cloudflare Client-Side Security Advanced (formerly Page Shield add-on) is now available to self-serve customers. And second, domain-based threat intelligence is now complimentary for all customers on the free Client-Side Security bundle.

In this post, we’ll explain how this product works and highlight a new AI detection system designed to identify malicious JavaScript while Continue reading

Changing Interfaces Connected to netlab Links

Some netlab users want to accurately replicate their physical network’s topology in a virtual lab. Ignoring the obvious caveats for a moment, the first hiccup is usually the interface naming. All bets are off if you’re using anything but Ethernet in your actual network, but even if you did standardize on Ethernet, the container/VM interface names might not match the physical ones.

netlab provided a solution for a long time – you can specify interface ifindex when attaching a node to a link. For example, use the following topology to connect Ethernet3 on R1 to Ethernet6 on R2:

Read more …

Worth Reading 032826


This document provides DNS deployment guidelines to secure the DNS protocol and infrastructure, mitigate misuse or misconfiguration, and provide an additional layer of network security as part of a zero trust and/or defense-in-depth security risk management approach.

 


However, eBPF has not seen similarly widespread adoption in other types of networked applications, such as web servers and databases. In this blog post, we argue that this gap stems from limitations in the current eBPF architecture — specifically, the kernel runtime, APIs, and compiler toolchain.

 


Time and again, I see people begging for companies with deep pockets to fund open source projects. I mean, after all, they’ve made billions from this code. You’d think they could support the code’s creators and maintainers. It would be only fair, right?

 


The weird, rare, surprising patterns that make data rich slowly get smoothed out when an AI model trains on outputs from a previous model.

 


In the previous note, the claim was not that the registry layer merely imposes visible fees or administrative inconvenience. The claim was more precise. The first extraction occurs when a scarce, transferable, revenue-enabling resource is kept institutionally discounted through non-asset rhetoric, conditional recognition, and friction around Continue reading

The Last Time

It's fading from our collective memory, but almost thirty years ago the global IT industry was gripped by Y2K fever. Another version of the counter rollover problem is coming back in 2036, 2038 and 2040. Hopefully we will avoid a large amount of hysteria this time around!

HN820: Cyber Week 2026 Wrap Up with Palo Alto Networks: Agents, Prisma AIRS and NGTS (Sponsored)

Palo Alto Networks released a slew of product news at the 2026 RSA conference around AI security, SASE, and a new certificate lifecycle management offering. On today’s Heavy Networking, sponsored by Palo Alto Networks, Ethan and Drew dig into these announcements to get details about how they work. They also talk about the risks of... Read more »

How we use Abstract Syntax Trees (ASTs) to turn Workflows code into visual diagrams

Cloudflare Workflows is a durable execution engine that lets you chain steps, retry on failure, and persist state across long-running processes. Developers use Workflows to power background agents, manage data pipelines, build human-in-the-loop approval systems, and more.

Last month, we announced that every workflow deployed to Cloudflare now has a complete visual diagram in the dashboard.

We built this because being able to visualize your applications is more important now than ever before. Coding agents are writing code that you may or may not be reading. However, the shape of what gets built still matters: how the steps connect, where they branch, and what's actually happening.

If you've seen diagrams from visual workflow builders before, those are usually working from something declarative: JSON configs, YAML, drag-and-drop. However, Cloudflare Workflows are just code. They can include Promises, Promise.all, loops, conditionals, and/or be nested in functions or classes. This dynamic execution model makes rendering a diagram a bit more complicated.

We use Abstract Syntax Trees (ASTs) to statically derive the graph, tracking Promise and await relationships to understand what runs in parallel, what blocks, and how the pieces connect. 

Keep reading to learn how we built these diagrams, or deploy Continue reading

A one-line Kubernetes fix that saved 600 hours a year

Every time we restarted Atlantis, the tool we use to plan and apply Terraform changes, we’d be stuck for 30 minutes waiting for it to come back up. No plans, no applies, no infrastructure changes for any repository managed by Atlantis. With roughly 100 restarts a month for credential rotations and unboarding, that added up to over 50 hours of blocked engineering time every month, and paged the on-call engineer every time.

This was ultimately caused by a safe default in Kubernetes that had silently become a bottleneck as the persistent volume used by Atlantis grew to millions of files. Here’s how we tracked it down and fixed it with a one-line change.

Mysteriously slow restarts

We manage dozens of Terraform projects with GitLab merge requests (MRs) using Atlantis, which handles planning and applying. It enforces locking to ensure that only one MR can modify a project at a time. 

It runs on Kubernetes as a singleton StatefulSet and relies on a Kubernetes PersistentVolume (PV) to keep track of repository state on disk. Whenever a Terraform project needs to be onboarded or offboarded, or credentials used by Terraform are updated, we have to restart Atlantis to pick Continue reading

Worth Reading: Securing NTP and the Origins of Time

Geoff Huston published an article supposedly describing the challenge of securing NTP, but as is usually the case, he couldn’t skip the prior art going all the way back (almost) to the formation of Earth.

Before coming to the how do we secure NTP section, you’ll learn everything about the wobbly Earth rotation, the changes in the Earth’s angular speed, the impact of tides, the smearing of leap seconds, the differences between UT1 and UTC, why we use quasars to measure time, and everything there is to know about NTP. Have fun!

TCG072: AI and the Automation Engineer – When Your Scripts Start Writing Themselves

William Collins and Eyvonne Sharp invite Skylar Sands, Senior Automation Engineer at World Wide Technology, to discuss what it means to integrate AI into the daily workflow in a meaningful way. Together they break down the shift in the automation engineer’s role now that AI can instantly generate the “toolkit” of Python, Ansible, and Bash,... Read more »
1 2 3 4 5 3,860