CloudflareRoute leak incident on January 22, 2026
Read Full ArticleSummary
On January 22, 2026, a misconfiguration in Cloudflare's routing policy led to a significant BGP route leak, affecting both Cloudflare customers and external networks. The incident, which lasted 25 minutes, resulted in unintended traffic being routed through Cloudflare's Miami data center, causing congestion and elevated latency. The article details the timeline of events, the technical specifics of the misconfiguration, and the subsequent impacts on network performance. It also outlines the steps Cloudflare is taking to prevent similar incidents in the future, including improvements to routing policy automation and the implementation of additional safeguards.
Key Learnings
- 1Understanding the mechanics of BGP route leaks and their implications on network traffic.
- 2Recognizing the importance of stringent routing policy configurations to prevent accidental leaks.
- 3Implementing BGP community-based safeguards to enhance routing security.
- 4The necessity of integrating routing policy evaluations into CI/CD pipelines for early detection of configuration issues.
- 5The role of RFC standards in guiding network configuration and preventing route leaks.
Who Should Read This
Senior Network Engineers with experience in BGP configurations and incident response strategies
Test Your Knowledge
What are the specific routing policy changes that led to the BGP route leak on January 22, 2026?
How can BGP community-based safeguards mitigate the risk of route leaks in a network?
What are the implications of a route leak on network performance and customer experience?
In what ways can CI/CD pipelines be utilized to enhance network configuration management?
What are the trade-offs involved in implementing RFC9234 to prevent route leaks?
Topics
More articles about BGP
Explore BGP engineering →ASPA: making Internet routing more secure
The article introduces ASPA (Autonomous System Provider Authorization), a new cryptographic standard aimed at enhancing the security of Internet routing by validating the paths that network traffic...
A closer look at a BGP anomaly in Venezuela
The article examines a recent BGP anomaly involving AS8048 (CANTV) in Venezuela, highlighting the implications of route leaks and the underlying routing policies that may have contributed to the...
BGP zombies and excessive path hunting
The article delves into the phenomenon of BGP zombies, which are routes that persist in the Default-Free Zone despite being withdrawn, causing operational issues for network operators. It explains...
More from Cloudflare Engineering
View Cloudflare engineering blogs →Complexity is a choice. SASE migrations shouldn’t take years.
The article emphasizes the shift in the cybersecurity landscape regarding SASE migrations, arguing that complexity is a choice rather than an inevitability. It showcases how Cloudflare's SASE...
Active defense: introducing a stateful vulnerability scanner for APIs
The article introduces Cloudflare's new stateful vulnerability scanner designed specifically for APIs, addressing the limitations of traditional defensive security measures. It highlights the...
Fixing request smuggling vulnerabilities in Pingora OSS deployments
The article addresses critical HTTP/1.x request smuggling vulnerabilities identified in the Pingora open source framework, particularly when deployed as an ingress proxy. It outlines the nature of...
From the endpoint to the prompt: a unified data security vision in Cloudflare One
The article outlines Cloudflare One's evolution in data security, emphasizing a unified approach that encompasses protection in transit, visibility and control at rest, and enforcement in use. It...
A QUICker SASE client: re-building Proxy Mode
The article outlines the challenges faced by security teams when implementing proxy modes in SASE environments, particularly the performance issues associated with traditional TCP implementations. It...