Cloudflare says 1.1.1.1 outage not caused by attack or BGP hijack
To quash speculation of a cyberattack or BGP hijack incident causing the recent 1.1.1.1 Resolver service outage, Cloudflare explains in a post mortem that the incident was caused by an internal misconfiguration.
The outage occurred on July 14 and impacted most users of the service all over the world, rendering internet services unavailable in many cases.
“The root cause was an internal configuration error and not the result of an attack or a BGP hijack,” Cloudflare says in the announcement.
This statement comes after people reported on social media that the outage was caused by a BGP hijack.
Global outage unfolding
- The company explains that behind the outage was a configuration change for a future Data Localization Suite (DLS) performed on June 6, which mistakenly linked 1.1.1.1 Resolver IP prefixes to a non-production DLS service.
- On July 14 at 21:48 UTC, a new update added a test location to the inactive DLS service, refreshing the network configuration globally and applying the misconfiguration.
- This withdrew 1.1.1.1 Resolver prefixes from Cloudflare’s production data centers and routed them to a single offline location, making the service globally unreachable.
- Less than four minutes later, DNS traffic to the 1.1.1.1 Resolver began to drop. By 22:01 UTC, Cloudflare detected the incident and disclosed it to the public.
The misconfiguration was reverted at 22:20 UTC, and Cloudflare began re-advertising the withdrawn BGP prefixes. Finally, full service restoration at all locations was achieved at 22:54 UTC.
The incident affected multiple IP ranges, including 1.1.1.1 (main public DNS resolver), 1.0.0.1 (secondary public DNS resolver), 2606:4700:4700::1111 and 2606:4700:4700::1001 (main and secondary IPv6 DNS resolvers, and multiple IP ranges that support routing within Cloudflare infrastructure.

Source: Cloudflare
Regarding the incident’s impact on protocols, UDP, TCP, and DNS-over-TLS (DoT) queries to the above addresses saw a significant drop in volume, but DNS-over-HTTPS (DoH) traffic was largely unaffected as it follows a different routing via cloudflare-dns.com.

Source: Cloudflare
Next steps
The misconfiguration could have been rejected if Cloudflare had used a system that performed progressive rollout, the internet giant admits, blaming the use of legacy systems for this failure.
- For this reason, it plans to deprecate legacy systems and accelerate migration to newer configuration systems that utilize abstract service topologies instead of static IP bindings, allowing for gradual deployment, health monitoring at each stage, and quick rollbacks in the event that issues arise.
- Cloudflare also points out that the misconfiguration had passed peer review and wasn’t caught due to insufficient internal documentation of service topologies and routing behavior, an area that the company also plans to improve.
SonicWall SMA devices hacked with OVERSTEP rootkit tied to ransomware
A threat actor has been deploying a previously unseen malware called OVERSTEP that modifies the boot process of fully-patched but no longer supported SonicWall Secure Mobile Access appliances.
- July 16, 2025
- 11:33 AM
0
New Fortinet FortiWeb hacks likely linked to public RCE exploits
Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.
- July 16, 2025
- 10:58 AM
0
Europol disrupts pro-Russian NoName057(16) DDoS hacktivist group
An international law enforcement operation dubbed "Operation Eastwood" has targeted the infrastructure of the pro-Russian hacktivist group NoName057(16), responsible for distributed denial-of-service (DDoS) attacks across Europe and the US.
- July 16, 2025
- 10:07 AM
0
Get a year of IT training with $250 off Vision Training Systems
Working in IT means constantly training and learning. Yet fitting a course into your schedule can be difficult between your work, your family, and your other commitments. The Vision Training Systems 365 Training Pass gives you a year of on-demand training that fits into your calendar, on sale for $49.99 (reg. $299).
- July 16, 2025
- 07:09 AM
0
Grok 4 benchmark results: Tops math, ranks second in coding
Grok 4 is a huge leap from Grok 3, but how good is it compared to other models in the market, such as Gemini 2.5 Pro? We now have answers, thanks to new independent benchmarks.
- July 16, 2025
- 06:35 AM
1
Google fixes actively exploited sandbox escape zero day in Chrome
Google has released a security update for Chrome to address half a dozen vulnerabilities, one of them actively exploited by attackers to escape the browser's sandbox protection.
- July 16, 2025
- 05:47 AM
0
OpenAI's image model gets built-in style feature on ChatGPT
OpenAI's image gen model, which is available via ChatGPT for free, now lets you easily create AI images even if you're not familiar with trends or prompt engineering.
- July 15, 2025
- 04:12 PM
0
Abacus dark web drug market goes offline in suspected exit scam
Abacus Market, the largest Western darknet marketplace supporting Bitcoin payments, has shut down its public infrastructure in a move suspected to be an exit scam.
- July 15, 2025
- 03:58 PM
0
Windows KB5064489 emergency update fixes Azure VM launch issues
Microsoft has released an emergency update to fix a bug that prevents Azure virtual machines from launching when the Trusted Launch setting is disabled and Virtualization-Based Security (VBS) is enabled.
- July 15, 2025
- 02:47 PM
3
North Korean XORIndex malware hidden in 67 malicious npm packages
North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems.
- July 15, 2025
- 01:47 PM
0
Police disrupt “Diskstation” ransomware gang attacking NAS devices
An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses.
- July 15, 2025
- 12:53 PM
0
Android malware Konfety uses malformed APKs to evade detection
A new variant of the Konfety Android malware emerged with a malformed ZIP structure along with other obfuscation methods that allow it to evade analysis and detection.
- July 15, 2025
- 09:10 AM
0
OpenAI's ChatGPT-powered browser is codenamed 'Aura'
OpenAI is following Perplexity and is working on its own AI-powered browser codenamed "Aura."
- July 15, 2025
- 07:30 AM
0
No comments:
Post a Comment