Best of CloudflareOctober 2025

  1. 1
    Article
    Avatar of cloudflareCloudflare·32w

    How we found a bug in Go's arm64 compiler

    Cloudflare discovered a race condition in Go's arm64 compiler that caused sporadic crashes during stack unwinding. The bug occurred when async preemption interrupted a split stack pointer adjustment in function epilogues, leaving the stack in an invalid state. Through systematic debugging involving coredumps, disassembly analysis, and reproducer creation, they traced crashes to a one-instruction race where the runtime preempted between two ADD opcodes adjusting RSP. The fix ensures stack pointer modifications happen atomically by building offsets in temporary registers first.

  2. 2
    Article
    Avatar of cloudflareCloudflare·30w

    From .com to .anything: introducing Top-Level Domain (TLD) insights on Cloudflare Radar

    Cloudflare Radar launched a new Top-Level Domain (TLD) insights page that provides comprehensive data on TLD popularity, traffic patterns, and security metrics. The page uses DNS Magnitude—a metric measuring how many unique networks query domains within a TLD—to rank over 2,500 TLDs. Surprisingly, .su (Soviet Union's legacy TLD) tops the ranking due to queries from a popular online game. Individual TLD pages offer detailed information including DNSSEC support, RDAP availability, DNS query volumes, certificate issuance data, and geographic distribution. The feature extends existing DNS insights to all delegated TLDs and integrates with Cloudflare Registrar for domain registration. All data is accessible via API and the Radar Data Explorer.

  3. 3
    Article
    Avatar of cloudflareCloudflare·29w

    So long, and thanks for all the fish: how to escape the Linux networking stack

    Cloudflare engineers developed a custom service called SLATFATF ("fish") to handle IP packet forwarding using their soft-unicast addressing system, which shares IP addresses across machines. The team encountered fundamental conflicts between Linux's socket subsystem and Netfilter's conntrack module when attempting to use both packet rewriting and bound sockets simultaneously. After exploring solutions including Netlink interfaces, TCP_REPAIR, and TCP Fast Open with cookieless connections, they discovered that Linux's "early demux" optimization bypassed custom routing rules. Despite successfully implementing workarounds, they ultimately chose to terminate TCP connections rather than forward raw IP packets due to better observability and minimal performance impact.

  4. 4
    Article
    Avatar of cloudflareCloudflare·29w

    Go and enhance your calm: demolishing an HTTP/2 interop problem

    Cloudflare engineers discovered that Go's HTTP/2 client implementation sends unnecessary RST_STREAM and PING frames when closing response bodies without reading them first, even when empty. This behavior triggered Cloudflare's PING flood DDoS mitigations, causing connections to close with ENHANCE_YOUR_CALM errors. The solution is to always fully read response bodies using io.Copy(io.Discard, resp.Body) before closing them, especially when reusing connections for multiple requests. The issue highlights how legitimate HTTP/2 client behavior can inadvertently mimic attack patterns and trigger security defenses.

See all Cloudflare archives