A Deep Dive Into DNS Packet Sizes: Why Smaller Packet Sizes Keep The Internet Safe

Published on by Dani Grant.

CC BY 2.0 image by Robert Couse-Baker Yesterday we wrote about the 400 gigabit per second attacks we see on our network. One way that attackers DDoS websites is by repeatedly doing DNS lookups that have small queries, but large answers. The attackers spoof their IP address so that the DNS answers are sent to the server they are attacking, this is called a reflection attack. Domains…

400Gbps: Winter of Whopping Weekend DDoS Attacks

Published on by Marek Majkowski.

Over the last month, we’ve been watching some of the largest distributed denial of service (DDoS) attacks ever seen unfold. As CloudFlare has grown we've brought on line systems capable of absorbing and accurately measuring attacks. Since we don't need to resort to crude techniques to block traffic we can measure and filter attacks with accuracy. Our systems sort bad packets from good, keep websites online and…

Staying afloat: the DROWN Attack and CloudFlare

Published on by John Graham-Cumming.

CloudFlare customers are automatically protected against the recently disclosed DROWN Attack. We do not have SSLv2 enabled on our servers. We publish our SSL configuration here so that others can use it. We currently accept TLS 1.0, 1.1 and 1.2. We are proactively testing our customers' origin web servers to detect vulnerable servers and will be reaching out to any that have a server that…

A tale of a DNS exploit: CVE-2015-7547

Published on by Marek Vavruša.

This post was written by Marek Vavruša and Jaime Cochran, who found out they were both independently working on the same glibc vulnerability attack vectors at 3am last Tuesday. A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous as it affects any platform…

Introducing CloudFlare Registrar: Designed for Security, Not the Masses

Published on by Matthew Prince.

At CloudFlare, we’ve constructed one of the world’s largest networks purpose-built to protect our customers from a wide range of attacks. We’re so good at it that attackers increasingly look for ways to go around us, rather than go through us. One of the biggest risks for high-profile customers has been having their domain stolen at the registrar. In 2013, we became intimately familiar with…