
CloudFlare Route leak - anon1385
https://www.cloudflarestatus.com/incidents/3zcnm4rnl0vv
======
jgrahamc
This is over. The organization that was leaking CloudFlare routes had been
contacted and they have stopped.

If you are interested in knowing about route leaks affecting different
companies I recommend:
[https://twitter.com/bgpmon](https://twitter.com/bgpmon)

------
atldev
Anyone else experiencing issues with CF more frequently lately? We appreciate
the service provided, but we're averaging about 1 customer-impacting issue per
week over the last few months. And we are considering alternatives. Today's
incident was particularly bad, and you'd have no idea that NA was impacted
from the status page.

~~~
manigandham
No issues with over a year of running > 1B reqs/month.

Route leaks aren't really something they can defend against anymore than other
ISPs until we get a better system in place.

------
Supersam654
This affected way more than Doha. Half of our US requests got dropped for 45
minutes while this was getting resolved.

~~~
cenal
I'm in Chicago and was impacted.

------
TazeTSchnitzel
What is a route leak? DuckDuckGoing was unhelpful.

~~~
jgrahamc
We wrote about this in the past when Google went down:
[https://blog.cloudflare.com/why-google-went-offline-today-
an...](https://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-
about/)

~~~
davidbarker
That was an interesting read. Perhaps I'm misunderstanding, but doesn't this
mean a rogue ISP could take down a large chunk of the internet if they wanted
to? If Moratel hadn't fixed the issue at their end, would Google have stayed
down indefinitely?

~~~
jgrahamc
No, because if the offender didn't stop misbehaving they'd find themselves
disconnected from the Internet completely.

~~~
larrys
"disconnected from the Internet completely".

Perhaps a blog post on exactly how that is done. And after what particular
time would that happen and is that something that needs to be coordinated or??

~~~
lightbritefight
If there is a rogue actor on the internet, even at a large scale, the rest of
the Internet blackholes their traffic, and treats them as a failure point.
Various routing tables are updated across the internet to not consider them a
viable destination or source, and traffic normalizes without them connected.

It isn't the action of one central authority, more a natural response to
failure by separate parts of the internet.Its akin to shoppers and suppliers
refusing to go to a particular store anymore. No one shuts the store down, but
it no longer has products or customers.

------
ers35
Here is a traceroute from multiple locations during the incident:
[https://pulse.turbobytes.com/results/56129a5becbe400bf8001c9...](https://pulse.turbobytes.com/results/56129a5becbe400bf8001c9f/)
[https://archive.is/bsq2y](https://archive.is/bsq2y)

Note the 10 references to qatar.net.qa. Hacker News uses CloudFlare so a
traceroute from my current location was going to qatar.net.qa as well.

------
xpose2000
I still have Cloudflare disabled.... is everyone sure it's safe to re-enable
it?

~~~
chadscira
Looks like it to me [https://img42.com/g8maM+](https://img42.com/g8maM+)

------
chadscira
It was quite a big hit, look at my activity graph
[https://img42.com/g8maM+](https://img42.com/g8maM+) . Other than this
instance CF has been rock solid though.

------
crisopolis
I wondered why all my routes were going to Level 3 London, then to Qatar...
from Tampa, FL for sites using CloudFlare and then dying.

------
allencoin
Perhaps explains why I was having trouble with Feedly today. Past tweets from
them[1] indicate that they use CloudFlare.

[1]
[https://twitter.com/feedly/status/480809578368487425](https://twitter.com/feedly/status/480809578368487425)

------
arvinds
Fundamental flaw in how services like Cloudflare are architected is that they
propagate route leaks from obscure places all over the world.

~~~
toomuchtodo
Fundamental flaw in how BGP was designed from the old days. Give me a transit
or peering connection where filters aren't in place, and you can announce
anyone's IP blocks with their AS (SS7 is very similar, as it was built for a
closed telcom ecosystem where all participants were trusted:
[https://www.youtube.com/watch?v=lQ0I5tl0YLY](https://www.youtube.com/watch?v=lQ0I5tl0YLY)).

There are efforts to move to a more secure version of BGP, but that'll be done
around the same time the transition to IPv6 is complete.

------
andrebrov
Fine now

