On June 20, Cloudflare automatically mitigated a highly volumetric DDoS attack that peaked above 754 million packets per second. The attack was part of an organized four day campaign starting on June 18 and ending on June 21.
We noticed something weird - the TCP sockets which we thought should have been closed - were lingering around. We realized we don't really understand when TCP sockets are supposed to time out!
We naively thought enabling TCP keepalives would be enough... but it isn't!
Here at Cloudflare, we have a lot of experience of operating servers on the wild Internet. But we are always improving our mastery of this black art. On this very blog we have touched on multiple dark corners of the Internet protocols: like understanding FIN-WAIT-2 or receive buffer tuning.
At CloudFlare, we're always looking for ways to eliminate bottlenecks. We're only able to deal with the very large amount of traffic that we handle because we've built a network that can efficiently handle an extremely high volume of network requests.