January 19, 2018
In April, we wrote about Web Cache Deception attacks, and how our customers can avoid them using origin configuration. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild....
January 18, 2018
Processor problems have been in the news lately, due to the Meltdown and Spectre vulnerabilities. But generally, engineers writing software assume that computer hardware operates in a reliable, well-understood fashion, and that any problems lie on the software side of the software-hardware divide....
January 08, 2018
Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre and they take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast. ...
December 22, 2017
During 2017 Cloudflare published 172 blog posts (including this one). If you need a distraction from the holiday festivities at this time of year here are some highlights from the year....
December 14, 2017
This post offers a retrospective on Mirai, the infamous IoT botnet that disrupted major websites with massive DDoS attacks, leveraging hundreds of thousands of compromised Internet-of-Things devices....
August 28, 2017
On August 17th, 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. ...
February 01, 2017
Today a severe vulnerability was announced by the WordPress Security Team that allows unauthenticated users to change content on a site using unpatched (below version 4.7.2) WordPress....
July 18, 2016
We have rolled out automatic protection for all customers for the the newly announced vulnerability called httpoxy....
June 21, 2016
We would like to share more details with our customers and readers on the internet outages that occurred this morning and earlier in the week, and what we are doing to prevent these from happening again....
May 09, 2016
Last week multiple vulnerabilities were made public in the popular image manipulation software, ImageMagick. These were quickly named ImageTragick. ...
May 04, 2016
Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13....
March 01, 2016
CloudFlare customers are automatically protected against the recently disclosed DROWN Attack. We do not have SSLv2 enabled on our servers....
February 29, 2016
A buffer overflow error in GNU libc DNS stub resolver code was announced last week as CVE-2015-7547. While it doesn't have any nickname yet (last year's Ghost was more catchy), it is potentially disastrous....
February 11, 2016
Several months ago we started hearing occasional reports from .NET developers that they were having trouble maintaining HTTPS sessions with one of our customer’s websites. ...
December 17, 2015
At CloudFlare, we spend a lot of time talking about the PoPs (Points of Presence) we have around the globe, however, on December 14th, another kind of POP came to the world: a vulnerability being exploited in the wild against Joomla’s Content Management System....
August 04, 2015
Last week ISC published a patch for a critical remotely exploitable vulnerability in the BIND9 DNS server capable of causing a crash with a single packet. ...
May 20, 2015
Yesterday, a group from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania published a deep analysis of the Diffie-Hellman algorithm as used in TLS and other protocols. ...
April 25, 2015
Today the Magento Security Team created a new ModSecurity rule and added it to our WAF rules to mitigate an important RCE (remote code execution) vulnerability in the Magento web e-commerce platform....
April 15, 2015
A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets....
