Earlier today a lot of internet users were experiencing problems while trying to access websites and apps. In contrast to the outages a few weeks ago, today's issue was not caused by the content providers themselves but by the company in between the cloud providers hosting the content and the users: Cloudflare.
What does Cloudflare do?
Cloudflare is one of the largest internet security companies. For regular internet users, the most important thing is their content delivery network (CDN). A CDN is responsible for distributing files from web servers to clients across the globe while reducing load on the origin servers, increasing loading speeds for users through caching files in a nearby location, and securing the providers by catching cyber attacks against websites and preventing them from getting through to the servers hosting the content. Cloudflare also provides a lot of different security-related services to businesses, like site-to-site tunnels, access management, and much more. Overall, 20-30% of all websites rely on one or more services provided by Cloudflare.
What happened?
According to Cloudflare's CTO, today's outage was caused by a bug triggered by a routine configuration update. A file related to bot mitigation services grew unexpectedly in size and caused a crash in systems responsible for managing traffic across a variety of Cloudflare services. This in turn caused the global network to loose a large amount of its potential bandwidth, and thus the outages and problems users experienced today. Similar to the issues at Microsoft's Azure and Amazon's AWS a few weeks ago, a very small change caused a large chunk of the global internet to stop working as it should.
What was affected?
In short: A sizeable portion of all websites. Cloudflare is behind a lot of websites. Since they provide basic services for free, a lot of small companies rely on their services to secure their backend infrastructure from attacks. But also large companies and institutions rely on Cloudflare's services. Today's outage, for example, caused downtime at Twitter/X, ChatGPT, IKEA, and even UK government websites, such as the one of MI5.
Is it possible to prevent this?
Yes and no. The problem today's outage has shown is that a sizeable chunk of the internet relies on a single company, so you might jump to the conclusion that if instead of one there would have been 3 or 4, a much smaller part would have been affected. But this is deceiving to a certain degree, since the main service we discuss here is cybersecurity. Using Cloudflare services is widespread because typically they are good at what they do: Preventing downtime caused by, for example, massive DDOS attacks. Being capable of doing this requires large amounts of infrastructure, which in turn costs a lot of money. Cloudflare is only able to provide this infrastructure because they are involved in huge chunks of the internet. Which leaves us essentially with a choice:
Dependence on one big company that is able to catch large attacks, but when something goes down, many sites are affected...
- or -
A number of smaller companies with a lot more attacks coming through, causing more outages overall but on a much smaller scale each time...
Sadly there is no right answer to this question; you always have a drawback as long as malicious actors exist on the internet.