Cloudflare, a networking company that provides Distributed Denial of Service (DDoS) protection and Internet content delivery services for many companies globally, announced that it had resolved an issue that led to outages early Tuesday that knocked several major websites and services offline for several hours. The company’s system status page reported the incident was resolved by 7:30 p.m. UTC (2:30 p.m. EST).
The outage affected affecting users of everything from ChatGPT, X, and the video game “League of Legends,” to the New Jersey Transit system. Other platforms that experienced outages included Uber, Canva, Shopify, Dropbox, Coinbase, Axios, Politico, and Moody’s credit ratings service. In France, national railway company SNCF’s website was impacted.
Company representatives said the “root cause” of the outage was an automatically generated configuration file used to manage threat traffic that “grew beyond an expected size of entries,” which triggered a crash in the software system that handles traffic for several of its services.
"We saw a spike in unusual traffic to one of Cloudflare’s services beginning at 11:20 a.m. UTC (6:20 a.m. EST). That caused some traffic passing through Cloudflare's network to experience errors," a company spokesperson said in a statement to CBS News.
Cloudflare spokesperson Jackie Dutton indicated there was no evidence that this was caused by an attack or any malicious activity, adding the company would share a detailed explanation of what went wrong on its blog.
“We are continuing to monitor for errors to ensure all services are back to normal,” the company said. “At this point, it is considered safe to re-enable any Cloudflare services that were temporarily disabled during the incident. We will provide a final update once our investigation is complete.”
Questions about Security Impact
The Cloudflare outage affected security by disabling features that protect against bots, leading to a potential surge in bot traffic and an increase in security challenges. Its outage means sites were temporarily unable to verify users, block bad bots, and perform other essential security checks.
This would have left them vulnerable to automated attacks like Distributed Denial of Service (DDoS) and can result in higher-than-normal error rates for legitimate users as they’re unable to pass security checks.
Specific security effects include the following:
• Bypassing of security measures: The firm’s security services, which include checking if a visitor is a human or a bot, were temporarily disabled. Automated scripts and malicious bots can get through without being stopped.
• Increased vulnerability to attacks: Without Cloudflare’s protections, websites could have been more susceptible to attacks, especially DDoS attacks that overwhelm servers with a flood of requests.
• Increased error rates for legitimate users: The outage can cause errors for legitimate users who may be unable to pass security challenges, such as, “Please unblock challenges.cloudflare.com to proceed” messages.
• Unrestricted access for bots: The outage essentially removed the security layer that differentiates legitimate human traffic from bots, allowing malicious bots to operate freely and potentially exploit vulnerable sites more easily.
No reports have been made yet about platforms that had security problems due to the outage.
Cloudflare Owned It Immediately
“I won’t mince words: earlier today we failed our customers and the broader internet,” Dane Knecht, Cloudflare's CTO, said in an X post.
“We were able to resolve the impact to traffic flowing through our network at approximately 14:30 UTC (9:30 a.m. EST), which was our first priority, but the incident required some additional work to fully restore our control plane (our dashboard and the APIs our customers use to configure Cloudflare,” he added.
Your Competitive Edge, Delivered