Dubai: Cloudflare, Inc., the leading connectivity cloud company, today made public that it helped lead the disclosure of a new novel zero-day vulnerability, dubbed “HTTP/2 Rapid Reset.” This global vulnerability gives attackers the ability to generate attacks larger than anything the Internet had seen before. To help mitigate the impact of this new threat for the entire Internet ecosystem, Cloudflare developed technology purpose-built to automatically block any attack leveraging Rapid Reset for its customers.Cloudflare successfully mitigated these issues and halted potential abuse for all customers, while simultaneously kicking off a responsible disclosure process with two other major infrastructure providers, to extend mitigations for this vulnerability to a large percentage of the Internet prior to disclosing its existence to the general public.“Successfully mitigating this threat for every critical infrastructure organization, customer, and the Internet at-large is the lifeblood of what Cloudflare stands for. We are one of the only companies equipped to identify and address threats of this magnitude, at the speed required to maintain the integrity of the Internet,” said Matthew Prince, CEO at Cloudflare. “And while this DDoS attack and vulnerability may be in a league of their own, there will always be other zero-day, evolving threat actor tactics, and new novel attacks and techniques—the continuous preparation and response to these is core to our mission to help build a better Internet.”Deconstructing HTTP/2 Rapid ResetIn late August 2023, Cloudflare discovered a zero-day vulnerability, developed by an unknown threat actor. The vulnerability exploits the standard HTTP/2 protocol—a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to ‘request’ to view things like images and text quickly, and all at once no matter how complex the website. This new attack works by making hundreds of thousands of ‘requests’ and immediately canceling them. By automating this “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline.Cloudflare Traffic Pattern Timeline: Late August 2023-Early October 2023 (Graphic: Business Wire)“Rapid Reset” provides threat actors with a powerful new way to attack victims across the Internet at an order of magnitude larger than anything the Internet has seen before. HTTP/2 is the basis for about 60% of all web applications, and determines the speed and quality of how users see and interact with websites.Based on Cloudflare's data, several attacks leveraging Rapid Reset were nearly three times larger than the largest DDoS attack in Internet history. At the peak of this DDoS campaign, Cloudflare recorded and handled over 201 million requests per second (Mrps), as well as the mitigation of thousands of additional attacks following.How Cloudflare thwarted the attack with Industry peersThreat actors who possess record-shattering attack methods have an extremely difficult time testing and understanding their effectiveness, due to the lack of infrastructure to absorb the attacks. For this reason, they often test against providers like Cloudflare to better understand how their attacks will perform.“While large-scale attacks such as those leveraging vulnerabilities like Rapid Reset can be complex and difficult to mitigate, they provide us unprecedented visibility into new threat actor techniques early in development,” said Grant Bourzikas, CSO at Cloudflare. “While there is no such thing as ‘perfect disclosure,’ with downtime and bumps along the way, thwarting attacks and responding to breaking incidents requires organizations and security teams to live by the ‘assume breach’ mindset the Cloudflare team fosters. Ultimately, this allows us to be a proud partner that helps make the Internet secure.”

Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced Cloudflare One Data Protection Suite, a unified set of advanced security solutions designed to protect data across every environment – web, SaaS, and private applications. Powered by Cloudflare’s Security Service Edge (SSE), customers can streamline compliance in the cloud, mitigate data exposure and loss of source code, and secure developer and AI environments from a single platform. Today’s organizations need to move away from legacy tools in order to maintain a competitive edge, decrease complexity in environments, and lessen the burden on their end users. However, the shift to emerging cutting-edge technology has introduced new risks and the daunting task of safeguarding sensitive data and intellectual property. In order to address this modern landscape and shrink the attack surface, CISOs need a fool-proof holistic strategy that will enable them to secure their entire corporate IT stack – including the rapidly increasing amount of data that is everywhere their employees’ devices, SaaS / cloud applications, and AI tools are.The Cloudflare One Data Protection Suite focuses on simplicity, extending comprehensive data controls to all aspects of an organization's internal and external applications. Built natively on Cloudflare's global network, this suite allows organizations of all sizes to:Allow programmable network architecture: Organizations can build new capabilities and adopt new security standards and protocols quickly, which ensures data protection controls address modern use cases, like protecting code in generative AI.Streamline data visibility and controls onto a single platform: With one management interface, administrators have multiple, flexible options to send traffic to Cloudflare for enforcement including API-based scans, clientless deployments of ZTNA and RBI, a single device client, direct or virtual interconnects, and SD-WAN partnerships. Enforce data protection controls with single-pass inspection: Across each of Cloudflare’s network locations – spanning more than 300 cities in over 100 countries – policy enforcement is reliable, unintrusive, and fast. This ultimately means that data controls never disrupt end-user productivity, and allow efficacy and scalability.Customize detections: DLP exact data match will equip customers with flexibility to detect organization-specific data defined in custom datasets. More predefined data detection profiles are available for source code files and protected health information (PHI). Converge API-driven CASB and DLP: Customers can discover sensitive data at rest and in line. Integrations will cover the majority of cloud collaboration, productivity, and code repository tools for enterprises.Provide risk-based data protection: Control access to data and apps based on a behavioral user risk scores, which incorporates signals from across Cloudflare One such as a user’s activities, posture, settings“Data is an organization’s most valuable asset, and protecting that data is critical. Breaches have lasting effects, and can even destroy a business when it comes to operational downtime, regulatory repercussions, associated costs. And, that doesn’t even account for the reputational damage associated with it,” said Matthew Prince, CEO at Cloudflare. “Organizations already have enough complexity, safeguarding your data doesn't need to fall in that bucket. Cloudflare provides a unique network architecture so enterprises can tackle anything from AI exposure to code leaks all in one unified platform.”“Today, Cloudflare One helps prevent our users from sharing sensitive data and code with tools like ChatGPT and Bard, enabling us to take advantage of AI safely,” says Tanner Randolph, Chief Information Security Officer at Applied Systems, a SaaS technology provider for insurance brokers. “Over the past few years, Cloudflare has been a critical partner in our digital transformation efforts and has helped us consolidate security controls across our users, applications, and networks. Going forward, we are excited for Cloudflare’s continued innovations to protect data, and in particular, their vision and roadmap for services like DLP and CASB.”

Cloudflare, Inc., the security, performance, and reliability company helping to build a better Internet, today announced it is entering the fraud detection market to help businesses quickly identify and stop online fraud–including fraudulent transactions, fake account signups, account takeover attacks, and carding attacks–before it impacts their brand or their bottom line. Powered by sophisticated machine learning models and global threat intelligence, Cloudflare is developing Cloudflare Fraud Detection to quickly stop account and payment fraud while also blocking the bots and humans behind it – automatically, and at global scale.Digital fraud threats are ever evolving, highly targeted, and can be committed by both humans and bots. According to PWC’s Global Economic Crime and Fraud Survey, more than half of companies with at least $10 billion in revenue experienced some sort of digital fraud in the last two years–the highest level in decades. Today, businesses often employ resource-heavy teams or rely on multiple vendors to help fight fraud. However, both options can hinder the speed and experience of a customers' transaction. What's more, they inherently lack access to robust threat intelligence, making it harder for businesses to understand if fraud is coming from a bot or a human, and then stop it in real-time. As attacks increase in volume and attackers evolve their tactics, businesses need a faster, more comprehensive way to stop attacks the moment they are detected.“Customers have long trusted us to help protect them online, and now we’re taking that even further by tackling online fraud,” said Matthew Prince, co-founder and CEO of Cloudflare. “With our massive global network, we can see more, and secure more. We believe we can use our network to stop online fraud faster than anyone else–so business leaders will no longer be kept up at night worrying that online fraud will hurt their brand, their customers’ experience, or their revenue.”Cloudflare’s global network spans more than 285 cities in over 100 countries to power millions of websites, APIs, and mobile applications–including major online retailers, global financial institutions and payment providers. That will allow Cloudflare to develop real-time advanced detection models that provide greater insights into online fraud threats, and run those models in near-real time to stop threats without any impact on performance. Cloudflare Fraud Detection will first synthesize different threat activity it sees across the globe and across many different Cloudflare products. For example, Cloudflare Fraud Detection will combine insights from Cloudflare's cloud email security–like phishing attacks–with information about emerging attacks from the Cloudforce One threat intelligence team to determine if a new user signup may be fake. Cloudflare Fraud Detection will then help businesses act immediately–such as to block fraudulent transactions in real time–because its machine learning platform runs across the entire Cloudflare network instantaneously. These architectural advantages will enable businesses to quickly and automatically block new threats that emerge–often before a single fraudulent transaction can be processed.With Cloudflare Fraud Detection, businesses will have a consolidated fraud management solution with several threat-specific detection capabilities to:Stop bots at global scale: With Cloudflare’s existing expertise in bot management, businesses will be able to automatically block malicious bot traffic–no human intervention needed.Safeguard brand reputation and consumer trust: Brands should not have to choose between a seamless customer experience and security. Cloudflare will help prevent attackers from creating fake accounts, without adding complexity or extra steps to the customer journey.Protect consumers even if they’ve fallen victim to a past breach: Credential stuffing attacks take advantage of people using the same password across multiple websites by using login credentials that have been breached from one site to try to gain access to other websites’ accounts. With Cloudflare Fraud Detection, brands will be able to detect and stop these attacks.Prevent the use of stolen credit cards: Hackers increasingly use large bot networks to exploit stolen credit card information to commit online fraud at massive scale, making purchases before consumers can even notice. Cloudflare Fraud Detection will have built-in detection capabilities to identify and stop these botnets.

“Cloudflare has built one of the world’s largest networks that offers a unique view of Internet traffic and online activity around the world,” said Matthew Prince, co-founder and CEO of Cloudflare. “The world continues to rely on the Internet, and we are humbled to have been able to do our part to keep the world connected through protests, conflicts, and natural disasters in 2022. It’s a privilege to help build a better, more transparent and more informed Internet.”This data comes from Cloudflare Radar, a free tool that lets anyone view global trends and insights across the Internet. Radar is powered by data from Cloudflare’s global network (one of the world’s largest, spanning 275+ cities in 100+ countries), and aggregated and anonymized data from Cloudflare’s 1.1.1.1 public DNS Resolver, widely used as a fast and private way to browse the Internet.