MORE POSTS
July 01, 2022 1:00 PM
Optimizing TCP for high WAN throughput while preserving low latency
In this post, we describe how we modified the Linux kernel to optimize for both low latency and high throughput concurrently...
March 19, 2022 5:01 PM
A Primer on Proxies
A technical dive into traditional TCP proxying over HTTP...
March 18, 2022 1:00 PM
Zero Trust client sessions
Starting today, you can build Zero Trust rules that require periodic authentication to control network access...
February 02, 2022 9:53 AM
How to stop running out of ephemeral ports and start to love long-lived connections
Often programmers have assumptions that turn out, to their surprise, to be invalid. From my experience this happens a lot. Every API, technology or system can be abused beyond its limits and break in a miserable way...
November 23, 2021 1:58 PM
Announcing Argo for Spectrum
Announcing general availability of Argo for Spectrum, a way to turbo-charge any TCP based application....
July 14, 2020 11:00 AM
flowtrackd: DDoS Protection with Unidirectional TCP Flow Tracking
flowtrackd is a software-defined DDoS protection system that significantly improves our ability to automatically detect and mitigate even the most complex TCP-based DDoS attacks. If you are a Magic Transit customer, this feature will be enabled by default at no additional cost on...
April 06, 2020 11:00 AM
Conntrack tales - one thousand and one flows
We were wondering - can we just enable Linux "conntrack"? How does it actually work? I volunteered to help the team understand the dark corners of the Linux's "conntrack" stateful firewall subsystem....
January 14, 2020 4:07 PM
A cost-effective and extensible testbed for transport protocol development
At Cloudflare, we develop protocols at multiple layers of the network stack. In the past, we focused on HTTP/1.1, HTTP/2, and TLS 1.3. Now, we are working on QUIC and HTTP/3, which are still in IETF draft, but gaining a lot of interest....
January 08, 2020 5:08 PM
Accelerating UDP packet transmission for QUIC
Significant work has gone into optimizing TCP, UDP hasn't received as much attention, putting QUIC at a disadvantage. Let's explore a few tricks that help mitigate this....
September 20, 2019 3:53 PM
When TCP sockets refuse to die
We noticed something weird - the TCP sockets which we thought should have been closed - were lingering around. We realized we don't really understand when TCP sockets are supposed to time out!
We naively thought enabling TCP keepalives would be enough... but it isn't!...
August 13, 2019 1:00 PM
Magic Transit: Network functions at Cloudflare scale
Today we announced Cloudflare Magic Transit, which makes Cloudflare’s network available to any IP traffic on the Internet. Up until now, Cloudflare has primarily operated proxy services: our servers terminate HTTP, TCP, and UDP sessions...
May 18, 2019 3:00 PM
Cloudflare architecture and how BPF eats the world
Recently at I gave a short talk titled "Linux at Cloudflare". The talk ended up being mostly about BPF. It seems, no matter the question - BPF is the answer.
Here is a transcript of a slightly adjusted version of that talk....
March 20, 2019 3:01 PM
Spectrum for UDP: DDoS protection and firewalling for unreliable protocols
Today, we're announcing Spectrum for UDP. Spectrum for UDP works the same as Spectrum for TCP: Spectrum sits between your clients and your origin. Incoming connections are proxied through, whilst applying our DDoS protection and IP Firewall rules. ...
February 18, 2019 1:13 PM
SOCKMAP - TCP splicing of the future
Proper TCP socket splicing reduces the load on userspace processes and enables more efficient data forwarding. We realized that Linux Kernel's SOCKMAP infrastructure can be reused for this purpose....
November 29, 2018 9:54 AM
Know your SCM_RIGHTS
As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously....