June 29, 2022
Learn how to patch Linux security vulnerabilities without rebooting the hardware and how to tighten the security of your Linux operating system with eBPF Linux Security Module...
February 17, 2022
We are open sourcing the production tooling we’ve built for the sk_lookup hook we contributed to the Linux kernel, called tubular...
February 04, 2022
Chances are you might have heard of io_uring. It first appeared in Linux 5.1, back in 2019, and was advertised as the new API for asynchronous I/O. Its goal was to be an alternative to the deemed-to-be-broken-beyond-repair AIO, the “old” asynchronous I/O API...
February 02, 2022
Often programmers have assumptions that turn out, to their surprise, to be invalid. From my experience this happens a lot. Every API, technology or system can be abused beyond its limits and break in a miserable way...
September 10, 2021
Continue learning how to import and execute code from an object file. In this part we will handle external library dependencies....
March 18, 2021
Introducing our autonomous DDoS (Distributed Denial of Service) protection system, globally deployed to all of Cloudflare’s 200+ data centers, and is actively protecting all our customers against DDoS attacks across layers 3 to 7 (in the OSI model) without requiring any human int...
March 04, 2021
We have been dealing with conntrack, the connection tracking layer in the Linux kernel, for years. And yet, despite the collected know-how, questions about its inner workings occasionally come up. When they do, it is hard to resist the temptation to go digging for answers....
March 02, 2021
Ever wondered if it is possible to execute an object file without linking? Or use any object file as a library? Follow along to learn how to decompose an object file and import code from it along the way....
October 27, 2020
A few months ago, after reading about Cloudflare doubling its intern class, I quickly dusted off my CV and applied for an internship. Long story short: now, a couple of months later, I found myself staring at Linux kernel code and adding a pretty cool feature to gVisor....
September 18, 2020
SYN-cookies help mitigating SYN-floods for TCP, but how can we protect services from similar attacks that use UDP? We designed an algorithm and a library to fill this gap, and it’s open source!...
July 08, 2020
In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code....
April 06, 2020
We were wondering - can we just enable Linux "conntrack"? How does it actually work? I volunteered to help the team understand the dark corners of the Linux's "conntrack" stateful firewall subsystem....
March 25, 2020
Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!...
March 19, 2020
You’d think keepalives would always be helpful, but turns out reality isn’t always what you expect it to be. It really helps if you read Why does one NGINX worker take all the load? first....
March 18, 2020
Back when Cloudflare was created, the dominant HTTP server used to power websites was Apache httpd. However, we decided to build our infrastructure using the then relatively new NGINX server....
October 12, 2019
We recently gave a presentation on Programming socket lookup with BPF at the Linux Plumbers Conference 2019 in Lisbon, Portugal....
July 18, 2019
Securing access to your APT repositories is critical. At Cloudflare, like in most organizations, we used a legacy VPN to lock down who could reach our internal software repositories. However, a network perimeter model lacks a number of features that we consider critical to a team...
July 10, 2019
For some time I’ve wanted to play with coverage-guided fuzzing. I decided to have a go at the Linux Kernel netlink machinery. It's a good target: it's an obscure part of kernel, and it's relatively easy to automatically craft valid messages....
May 30, 2019
Kali Linux turned six years old this year! In this time, Kali has established itself as the de-facto standard open source penetration testing platform....
