MORE POSTS
March 18, 2020 12:00 PM
The problem with thread^W event loops
Back when Cloudflare was created, over 10 years ago now, the dominant HTTP server used to power websites was Apache httpd. However, we decided to build our infrastructure using the then relatively new NGINX server....
October 12, 2019 1:00 PM
It's crowded in here
We recently gave a presentation on Programming socket lookup with BPF at the Linux Plumbers Conference 2019 in Lisbon, Portugal. This blog post is a recap of the problem statement and proposed solution we presented....
July 18, 2019 2:12 PM
A Tale of Two (APT) Transports
Securing access to your APT repositories is critical. At Cloudflare, like in most organizations, we used a legacy VPN to lock down who could reach our internal software repositories. However, a network perimeter model lacks a number of features that we consider critical to a team...
July 10, 2019 1:07 PM
A gentle introduction to Linux Kernel fuzzing
For some time I’ve wanted to play with coverage-guided fuzzing. I decided to have a go at the Linux Kernel netlink machinery. It's a good target: it's an obscure part of kernel, and it's relatively easy to automatically craft valid messages....
May 30, 2019 1:00 PM
Cloudflare Repositories FTW
Kali Linux turned six years old this year!
In this time, Kali has established itself as the de-facto standard open source penetration testing platform....
May 18, 2019 3:00 PM
Cloudflare architecture and how BPF eats the world
Recently at I gave a short talk titled "Linux at Cloudflare". The talk ended up being mostly about BPF. It seems, no matter the question - BPF is the answer.
Here is a transcript of a slightly adjusted version of that talk....
May 03, 2019 1:00 PM
eBPF can't count?!
It is unlikely we can tell you anything new about the extended Berkeley Packet Filter, eBPF for short, if you've read all the great man pages, docs, guides, and some of our blogs out there. But we can tell you a war story, who doesn't like those? ...
April 24, 2019 6:21 PM
xdpcap: XDP Packet Capture
Our servers process a lot of network packets, be it legitimate traffic or large denial of service attacks. To do so efficiently, we’ve embraced eXpress Data Path (XDP), a Linux kernel technology that provides a high performance mechanism for low level packet processing....
January 04, 2019 11:02 AM
io_submit: The epoll alternative you've never heard about
The Linux AIO is designed for, well, Asynchronous disk IO! Disk files are not the same thing as network sockets! Is it even possible to use the Linux AIO API with network sockets in the first place?
The answer turns out to be a strong YES!
...
November 29, 2018 9:54 AM
Know your SCM_RIGHTS
As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously....
August 24, 2018 3:11 PM
Introducing ebpf_exporter
Here at Cloudflare we use Prometheus to collect operational metrics. We run it on hundreds of servers and ingest millions of metrics per second to get insight into our network and provide the best possible service to our customers....
May 13, 2018 4:00 PM
Tracing System CPU on Debian Stretch
How an innocent OS upgrade triggered a cascade of issues and forced us into tracing Linux networking internals....
April 17, 2018 10:11 PM
mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
In previous blog post we discussed how we use the TPROXY iptables module to power Cloudflare Spectrum. With TPROXY we solved a major technical issue on the server side, and we thought we might find another use for it on the client side of our product....
April 12, 2018 1:00 PM
Abusing Linux's firewall: the hack that allowed us to build Spectrum
Introducing Spectrum: a new Cloudflare feature that brings DDoS protection, load balancing, and content acceleration to any TCP-based protocol.Today we are releasing Spectrum. ...