Cloudflare explained how the power reserve helps to repel attacks without the participation of engineers and control traffic around the world.
The Internet has long been accustomed to perceive Cloudflare as a background infrastructure that simply “holds” sites and extinguishes attacks. Now the company has a new benchmark of scale. Cloudflare has exceeded 500 Tbps/s of external bandwidth, and it is not about peak traffic, but the total capacity of all external connections to providers, peer partners, traffic exchange points and own joint channels throughout the global network.
For comparison, on a normal day, the real peak load takes only a part of this volume. The rest of the Cloudflare stock is directly called a reserve in case of DDoS attacks. Behind the dry figure hides the path of sixteen years. In 2010, the company worked from a small office on a nail salon in Palo Alto, used the services of one transit operator and offered a simple reverse proxy, which could be included with the replacement of two DNS servers.
Then began a slow, but stubborn growth in cities. Chicago, Ashburn, San Jose, Amsterdam, Tokyo. Each new node required negotiations with sites, laying optics, installing racks with servers and connecting to traffic exchange points. Behind the conversations about the “cloud” was a rather mundane work in specific engine rooms, among cables, ports and contracts. Sometimes the launch was not according to plan. Cloudflare recalls the lack of equipment, customs failures and very exotic situations up to the floss, which once came in hand in motion. In 2018, the company opened a presence in 31 cities in 24 days. Then the network reached 127 data centers and protected 7 million Internet resources. Now the infrastructure operates in more than 330 cities and, according to the company, serves more than 20% of the entire Internet.
The growth of geography gradually turned the network from a tool to accelerate sites into a full level of protection and corporate communications. Customers asked not only for cashing, but also for secure access to employees, replacing old MPLS channels and protecting internal networks. Instead of classic hardware boxes, Cloudflare began building a system that raises secure tunnels to private subnets and directly announces corporate IP addresses through the company’s global network by BGP.
In parallel, the scale of the attacks grew. In 2025, Cloudflare repelled a DDoS attack with a capacity of 31.4 Tbps, which lasted 35 seconds. The source was the Aisuru-Kimwolf botnet, which included, among other things, infected Android TVs. That day, the company’s network blocked more than five thousand attacks, and no engineer had to intervene manually. Ten years ago, a strike of such force would require the level of the state to just try to withstand it. Now the protective logic works directly on each server and makes decisions without human intervention.
The protection scheme looks like this. Packages come to the network card and immediately fall into the chain of XDP programs that work in the driver mode. One of the first to work l4drop. The module checks packets according to the filtering rules in eBPF. The rules create a dosd service that works on each server, tracks incoming traffic, collects data about the “heavy” sources and sends the picture to neighboring servers inside the site. As a result, the entire node receives an overview of the attack and makes the same locking decisions. When the dosd recognizes the malicious pattern, the rule is applied locally and spreads almost immediately over the entire network through the distributed Quicksilver storage. Further, after the initial filtering, traffic reaches the Unimog balancing, and for Magic Transit customers, the flowtrack performs an additional TCP connection check. The main meaning of the design is simple. Malicious packages are discarded before the application computing resources begin to be used.
Such an architecture has helped Cloudflare build not only the protection, but also a platform for running user code on the edge of the network. Since the company has already learned to execute programs on each server for the sake of filtering attacks, the next step was the Workers, and then KV and Durable Objects. In 2025, the Workers added support for containers so that heavier loads can be launched on the periphery. The company relies on the fact that applications must work next to the user, on the same machines that at the same time know how to discard garbage traffic at linear speed.
A separate direction is related to routing. Cloudflare has long been promoting IPv6 and open key infrastructure for routing, known as RPKI. The mechanism allows you to weed out incorrect routes and reduce the risk of intercepting traffic through erroneous or malicious BGP-announcers. The company signs its prefixes and checks incoming routes, discarding records with invalid data, even if due to someone else's error, some networks temporarily lose achievability. Cloudflare calls the next major topic of ASPA. If the RPKI confirms who owns the prefix, then ASPA must check which chain of autonomous systems the route came at all. To combat the leaks of routes, this level of verification looks much more useful.
The very nature of Internet traffic is also changing. According to Cloudflare, more than 4% of all HTML requests on the network of companies are already creating AI scanners, model training systems and autonomous agents. This volume is compared to the scale of Googlebot. Especially quickly grows the scenario when AI goes to the page in response to a person’s question. In 2025, the number of such appeals increased by more than 15 times. For infrastructure, the problem here is not only in scope, but also in behavior. An ordinary browser loads the page and calms down, and the scanner begins to quickly and without pauses pull out all the related resources. At the network level, such activity sometimes looks almost like an attack.
Therefore, Cloudflare is increasingly distinguishing between legitimate robots and malicious traffic on several signs at once. In the course are checked IP-address ranges, behavioral analysis, compliance with robots.txt and TLS prints. The company gives a simple example. This browser usually sends a predictable set of parameters to ClientHello, which corresponds to the stated User-Agent. If the scanner fakes User-Agent but uses a more primitive TLS library, the discrepancy becomes noticeable even before accessing the source server.
The line of 500 Tbps Cloudflare serves not as a beautiful round figure, but as a result of a long engineering strategy, where each new feature was based on an already built network. At first, the company learned to simply deliver and filter traffic, then turned the network into a security layer, then into a platform for applications, and now uses the same infrastructure to deal with a new wave of load from AI agents. For the Internet, where attacks become more powerful, routing is more complicated, and automatic traffic is increasingly aggressive, such a supply of capacity no longer looks like a luxury, but a basic condition for survival.
The Internet has long been accustomed to perceive Cloudflare as a background infrastructure that simply “holds” sites and extinguishes attacks. Now the company has a new benchmark of scale. Cloudflare has exceeded 500 Tbps/s of external bandwidth, and it is not about peak traffic, but the total capacity of all external connections to providers, peer partners, traffic exchange points and own joint channels throughout the global network.
For comparison, on a normal day, the real peak load takes only a part of this volume. The rest of the Cloudflare stock is directly called a reserve in case of DDoS attacks. Behind the dry figure hides the path of sixteen years. In 2010, the company worked from a small office on a nail salon in Palo Alto, used the services of one transit operator and offered a simple reverse proxy, which could be included with the replacement of two DNS servers.
Then began a slow, but stubborn growth in cities. Chicago, Ashburn, San Jose, Amsterdam, Tokyo. Each new node required negotiations with sites, laying optics, installing racks with servers and connecting to traffic exchange points. Behind the conversations about the “cloud” was a rather mundane work in specific engine rooms, among cables, ports and contracts. Sometimes the launch was not according to plan. Cloudflare recalls the lack of equipment, customs failures and very exotic situations up to the floss, which once came in hand in motion. In 2018, the company opened a presence in 31 cities in 24 days. Then the network reached 127 data centers and protected 7 million Internet resources. Now the infrastructure operates in more than 330 cities and, according to the company, serves more than 20% of the entire Internet.
The growth of geography gradually turned the network from a tool to accelerate sites into a full level of protection and corporate communications. Customers asked not only for cashing, but also for secure access to employees, replacing old MPLS channels and protecting internal networks. Instead of classic hardware boxes, Cloudflare began building a system that raises secure tunnels to private subnets and directly announces corporate IP addresses through the company’s global network by BGP.
In parallel, the scale of the attacks grew. In 2025, Cloudflare repelled a DDoS attack with a capacity of 31.4 Tbps, which lasted 35 seconds. The source was the Aisuru-Kimwolf botnet, which included, among other things, infected Android TVs. That day, the company’s network blocked more than five thousand attacks, and no engineer had to intervene manually. Ten years ago, a strike of such force would require the level of the state to just try to withstand it. Now the protective logic works directly on each server and makes decisions without human intervention.
The protection scheme looks like this. Packages come to the network card and immediately fall into the chain of XDP programs that work in the driver mode. One of the first to work l4drop. The module checks packets according to the filtering rules in eBPF. The rules create a dosd service that works on each server, tracks incoming traffic, collects data about the “heavy” sources and sends the picture to neighboring servers inside the site. As a result, the entire node receives an overview of the attack and makes the same locking decisions. When the dosd recognizes the malicious pattern, the rule is applied locally and spreads almost immediately over the entire network through the distributed Quicksilver storage. Further, after the initial filtering, traffic reaches the Unimog balancing, and for Magic Transit customers, the flowtrack performs an additional TCP connection check. The main meaning of the design is simple. Malicious packages are discarded before the application computing resources begin to be used.
Such an architecture has helped Cloudflare build not only the protection, but also a platform for running user code on the edge of the network. Since the company has already learned to execute programs on each server for the sake of filtering attacks, the next step was the Workers, and then KV and Durable Objects. In 2025, the Workers added support for containers so that heavier loads can be launched on the periphery. The company relies on the fact that applications must work next to the user, on the same machines that at the same time know how to discard garbage traffic at linear speed.
A separate direction is related to routing. Cloudflare has long been promoting IPv6 and open key infrastructure for routing, known as RPKI. The mechanism allows you to weed out incorrect routes and reduce the risk of intercepting traffic through erroneous or malicious BGP-announcers. The company signs its prefixes and checks incoming routes, discarding records with invalid data, even if due to someone else's error, some networks temporarily lose achievability. Cloudflare calls the next major topic of ASPA. If the RPKI confirms who owns the prefix, then ASPA must check which chain of autonomous systems the route came at all. To combat the leaks of routes, this level of verification looks much more useful.
The very nature of Internet traffic is also changing. According to Cloudflare, more than 4% of all HTML requests on the network of companies are already creating AI scanners, model training systems and autonomous agents. This volume is compared to the scale of Googlebot. Especially quickly grows the scenario when AI goes to the page in response to a person’s question. In 2025, the number of such appeals increased by more than 15 times. For infrastructure, the problem here is not only in scope, but also in behavior. An ordinary browser loads the page and calms down, and the scanner begins to quickly and without pauses pull out all the related resources. At the network level, such activity sometimes looks almost like an attack.
Therefore, Cloudflare is increasingly distinguishing between legitimate robots and malicious traffic on several signs at once. In the course are checked IP-address ranges, behavioral analysis, compliance with robots.txt and TLS prints. The company gives a simple example. This browser usually sends a predictable set of parameters to ClientHello, which corresponds to the stated User-Agent. If the scanner fakes User-Agent but uses a more primitive TLS library, the discrepancy becomes noticeable even before accessing the source server.
The line of 500 Tbps Cloudflare serves not as a beautiful round figure, but as a result of a long engineering strategy, where each new feature was based on an already built network. At first, the company learned to simply deliver and filter traffic, then turned the network into a security layer, then into a platform for applications, and now uses the same infrastructure to deal with a new wave of load from AI agents. For the Internet, where attacks become more powerful, routing is more complicated, and automatic traffic is increasingly aggressive, such a supply of capacity no longer looks like a luxury, but a basic condition for survival.
