When Australia unveiled its 2023-2030 Australian Cyber Security Strategy in November 2023, we enthusiastically announced Cloudflare’s support, especially for the call for the private sector to work together to protect Australia’s smaller, at-risk entities. Today, we are extremely pleased to announce that Cloudflare and the Critical Infrastructure - Information Sharing and Analysis Centre (CI-ISAC), a member-driven organization helping to defend Australia's critical infrastructure from cyber attacks, are teaming up to protect some of Australia’s most at-risk organizations – General Practitioner (GP) clinics.

Cloudflare helps a broad range of organizations -– from multinational organizations, to entrepreneurs and small businesses, to nonprofits, humanitarian groups, and governments across the globe — to secure their employees, applications and networks. We support a multitude of organizations in Australia, including some of Australia’s largest banks and digital natives, with our world-leading security products and services.

When it comes to protecting entities at high risk of cyber attack who might not have significant resources, we at Cloudflare believe we have a lot to offer. Our mission is to help build a better Internet. A key part of that mission is democratizing cybersecurity – making a range of tools readily available for all, including small and medium enterprises (SMEs), non-profits, and individuals. We also offer our cyber protection products and services at no cost to certain at-risk organizations. One example of this is Australia’s Citizens of the Great Barrier Reef, which is a participant in Cloudflare’s Project Galileo. Through Project Galileo, they have access to our advanced cybersecurity tools and support, freeing them to focus on their mission.

CI-ISAC Australia is a not-for-profit organization with a mission to help build the collective defenses of Australia's critical infrastructure to protect them from crippling cyberattacks. CI-ISAC facilitates sharing, aggregates sources, and analyzes cyber threat intelligence across multiple sectors, including healthcare.

Globally, the healthcare sector consistently reports the highest financial costs from cyber attacks. Sensitive patient data is a prime target for cybercriminals. Not surprisingly, Australia’s big and small healthcare organizations alike are facing crippling cyberattacks. GP clinics serve as the backbone of Australia’s community healthcare, but these small-but-essential entities typically face resource constraints that make it difficult for them to implement fundamental but costly cybersecurity measures, leaving Australian patient data exposed to cybercriminals.

The 2023-2030 Australia Cybersecurity Strategy is clear about the threat to smaller at-risk organizations and the vital role of the private sector in supporting these entities. We couldn’t agree more. Heeding their call to help make Australia more secure for all, we are extremely pleased to introduce Project Secure Health: Cloudflare and CI-ISAC’s combined cyber security support for Australia’s GP clinics. This program will enable Australia’s GP Clinics to counter a range of challenging cyber threats: data breaches, ransomware attacks, phishing scams, and insider threats.

CI-ISAC will provide GP clinics with membership in its organization for free and with no time limit, which will enable member GP clinics to proactively understand and respond to healthcare-specific cyber threats. Clinics will have access to CI-ISAC’s tailored threat intelligence products and services, informed by observations across Australia’s critical infrastructure sectors.

As members of CI-ISAC, GP clinics will also receive key Cloudflare services, for free and with no time limit: Cloudflare Gateway, and Cloudflare Access, our Zero Trust Network Access (ZTNA) service. Cloudflare Gateway helps protect GP clinics against Internet threats by preventing staff from accessing harmful and inappropriate Internet content, like ransomware or phishing sites. With Cloudflare Access, GP clinics can simply and effectively manage user access to sensitive patient data, thereby minimizing the risk of unauthorized users gaining access.

For GP Clinics interested in participating in Project Secure Health, please contact CI-ISAC at info@ci-isac.org.au. To be eligible for free CI-ISAC membership and Cloudflare ZTNA services, GP Clinics must have fewer than 50 staff members.

We are thrilled about Australia’s strategic direction to build a world-leading cyber nation by 2030. As a world-leading cybersecurity company whose mission is to help build a better Internet, we think we can help.

Cloudflare empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.

Cloudflare first established a footprint in Australia in 2012 when we launched our 15th data center in Sydney (our network has since grown to span over 310 cities in 120 countries/regions). We support a multitude of customers in Australia and New Zealand, including some of Australia’s largest banks and digital natives, with our world-leading security products and services. For example, Australia’s leading tech company Canva, whose service is used by over 35 million people worldwide each month, uses a broad array of Cloudflare’s products — spanning use cases as diverse as remote application access, to serverless development, and even bot management to help Canva protect its network from attacks.

In support of the Australian Cyber Security Strategy 2023-2030 (The Strategy), released on November 22, 2023, we want to share how we can help empower Australian organizations and individuals to become more secure. The Strategy is clear about the value of cooperation and the vital role of the private sector. We couldn’t agree more, and we look forward to collaborating with individuals, industry, non-profits, and the government to help ensure that Australia’s society and economy is protected from malicious cyber threats.

The Strategy outlines six shields – six layers of defense against cyber attacks, with Australian businesses and individuals in the center (where they should be). Here’s where we think Cloudflare can play a role in each of the shields:

The Strategy rightly focuses on helping those individuals and organizations that typically do not have the capability or resources to employ basic cybersecurity tools. We agree that supporting the most vulnerable is a crucial goal as these groups are often powerless to protect themselves against relentless attacks. A 2023 survey by the Australian Cyber Security Center shows that 62% of surveyed Small Medium Enterprises (SMEs) were victims of a cyber attack. Cloudflare’s recent survey of nearly 4000 security leaders across Asia Pacific shows that 81% of medium and 77% of small-sized organizations suffered a cybersecurity incident over the previous 12 months.

Here we believe we have a lot to offer. Our mission is to help build a more secure, more private and more reliable Internet. A key part of that mission is democratizing cybersecurity – making cyber tools readily available for all, including SMEs, non-profits, and individuals. For example, our free plan makes available our world-leading DDoS and WAF protection for millions of websites, apps, and APIs all around the world, including in Australia. We provide our suite of Zero Trust Tools for free to organizations with up to 50 users (more on Zero Trust below).

We also offer our world-leading, Enterprise-level cyber protection products and services at no cost to the most vulnerable populations, including human rights organizations, journalists and healthcare organizations. One example of this is Citizens of the Great Barrier Reef, which is a participant of Cloudflare’s Project Galileo. Through Project Galileo, they have access to our most advanced cybersecurity tools and support — freeing them to focus on their mission.

We agree with the Strategy’s push for Secure-by-Design and Secure-by-Default technology – these are in fact our core principles when developing our products and services in order to improve security for our end users automatically. We’ve taken this approach in deploying Web Application Firewall (WAF) protections for all of our users, such as the steps we took to protect our customers (including our free plan customers) against the log4j vulnerability, and in creating a machine-learning computed WAF attack score that enables customers to block likely attacks, even when they don’t match existing attack signatures.

This shield also notes both the opportunities and challenges brought by critical emerging technologies, such as quantum computing and artificial intelligence (AI). Cloudflare is getting ready for the quantum future – in order to protect against possible attacks from quantum computers, we believe that post-quantum cryptography tools should be readily available. In late 2022, we announced that by default, all websites and APIs served through Cloudflare, including those on our free plan, support post-quantum hybrid key agreement.

We also provide tools that help ensure that AI can be used securely. Given the incredible growth in this space, it’s critical that businesses can ensure that they are able to leverage AI innovation and growth — and doing so both securely and safely.

We applaud the government’s efforts to strengthen threat sharing and threat blocking. For threat intelligence to be effective across sectors and industries, there needs to be a flow of information not only between government and industry, but also between industry peers. The support in the strategy for developing Information Sharing and Analysis Centers (ISACs) will help create a threat sharing culture within industry and support Australia to build a more mature cybersecurity ecosystem.

Cloudflare has supported ISACs to understand the impact of emerging vulnerabilities. One recent example concerned the HTTP/2 Rapid Reset Vulnerability, which resulted in record-breaking DDoS attacks. By working with our peers and sharing the latest insights we were able to help member organizations proactively protect themselves and their users.

This shield focuses on critical infrastructure (CI) – those institutions vital to the nation’s functioning. Cloudflare understands the crucial importance of protecting CI: many of our customers are CI in their respective jurisdictions, including in Australia. Our tools help keep them, and those that rely on them, secure. For example, we mitigated threats to our customers when Anonymous Sudan and Killnet attacked and issued threats to Australian universities, airports, and hospitals in March 2023.

Equally concerning are the smaller critical infrastructure organizations that are the foundation of our communities: the neighborhood hospital, regional water treatment facility, and local energy provider that meet our basic needs like keeping the lights on and clean water running. Also vital, and noted in the Strategy – the small-yet-crucially-important companies that form the supply chains of our nationwide critical systems. These smaller organizations frequently lack the know-how and financial resources to deploy basic cyber security, let alone best-in-class cybersecurity tools and services. We felt that we could step up to help meet this crucial gap, so at the end of 2022, we launched Project Safekeeping in Australia and other global markets, providing no-cost and no-time limit Enterprise-level cybersecurity products for these critical entities.

Finally, we applaud the Strategy’s goal to strengthen the overall cyber posture of the Australian Commonwealth government, in particular by developing a Zero Trust culture. Zero Trust is generally considered a best practice in cybersecurity – the belief that organizations should not trust based on relationship to a perimeter (such as if someone is in the office), but instead must verify everything and everyone trying to connect to its systems before granting access. Zero Trust principles are being implemented successfully across the private sector and governments, and a Zero Trust strategy will certainly help uplift the security maturity and posture of Australia and its government.

Cloudflare is already providing our world-leading Zero Trust tools and services to government departments across Australia, both state and federal. For example, Australia’s National Disability Insurance Agency (NDIS) utilizes Cloudflare’s suite of security products to protect their environment and provide secure access into their application ecosystem.

This shield focuses on the essentials for having a diverse and professional cyber workforce in order to foster a vibrant Australian cyber ecosystem. Cloudflare also strives for a diverse workforce in order to have better business outcomes. To improve diversity across departments and roles, we rely on inclusive recruiting practices to help ensure a fair process, and we train employees on mitigating unconscious bias. In Australia, we actively foster diversity in cyber through internal associate programs designed to promote diverse groups into cyber engineering roles. We also run a series of external workshops and sessions aimed at the broader Australian women in cyber community, in order to foster greater learning and networking opportunities in this traditionally male-dominated sector.

As a global company whose mission is to help build a better Internet, we believe it is vitally important for the international community to defend a free and open Internet. We were thrilled to see the Strategy acknowledge this as a key pillar of Australia's cyber diplomacy. A free and open Internet is, in fact, both safer – as global knowledge is necessary to stop attacks that could come from anywhere in the world; and more resilient, as the Internet needs multiple global connection points to ensure that cyber attacks do not impact Internet access.

In addition, we fully agree with the Strategy that global technology markets should be competitive, reflecting a diverse pool of technology vendors. We strongly believe in the importance of having a vibrant security ecosystem, where different security providers can help mitigate the risk of services being compromised, helping to avoid security events.

Finally, this shield recognizes that international cyber standards must be harmonized. As a cybersecurity technology provider that adheres to multiple cybersecurity standards all around the world, we couldn’t agree more. Overlapping and redundant standards are a massive operational burden that do not equate to greater levels of security. However, onerous compliance regimes do prevent governments from having the best security technology available, given that many companies, particularly SMEs, simply can’t afford the high costs associated with numerous cybersecurity certifications.

We are thrilled to support Australia’s mission to be a world cyber leader by 2030. We look forward to our continued collaboration with the Australian government and industry in order to help ensure that everyone – from critical infrastructure, government, SMEs, nonprofits, to Australian citizens – can be more secure.

When a country throws a privacy party, Cloudflare is there! We are proud to be an official sponsor of the Australian Privacy Awareness Week 2023, and we think this year’s theme of “Privacy 101: Back to Basics” is more important now than ever. In recent months, Australians have been hit with the news of massive personal data privacy breaches where millions of Australian citizens' private and sensitive data was compromised, seemingly easily. Meanwhile, the Australian Attorney General released its Privacy Act Review Report 2022 earlier this year, calling for a number of changes to Australia’s privacy regulations.

You’re probably familiar with the old-school privacy basics of giving users notice and consent. But we think it’s time for some new “privacy basics”. Thanks to rapid developments in new technologies and new security threat vectors, notice and consent can only go so far to protect the privacy of your personal data. New challenges call for new solutions: security solutions and privacy enhancing technologies to keep personal data protected. Cloudflare is excited to play a role in building and using these technologies to help our customers keep their sensitive information private and enable individual consumers to protect themselves. Investing in and offering these technologies is part of our mission to help build a better Internet – one that is more private and more secure.

Cloudflare is fully committed to supporting Australian individuals and organizations in protecting their and their users’ privacy. We’ve been in Australia since Sydney became Cloudflare’s 15th data center in 2012, and we launched our Australian entity in 2019. We support more than 300 customers in Australia and New Zealand, including some of Australia’s largest banks and online digital natives with our world-leading privacy and security products and services.

For example, Australian tech darling Canva, whose online graphic design tool is used by over 35 million people worldwide each month, uses a number of our solutions that help Canva protect its network from attacks, which in turn ensures that the data of its millions of users is not breached. And we are proud to support Citizens of the Great Barrier Reef, which is a participant of Cloudflare’s Project Galileo. Through Project Galileo, we’ve helped them to secure their origin server from large bursts of traffic or malicious actors attempting to access the website.

This is why we’re proud to support Australia’s Privacy Awareness Week 2023, and we want to share our expertise on how to empower Australian organizations in securing and protecting the privacy of their users. So let’s look at a few key privacy basics and how we think about them at Cloudflare:

• Minimize the data you collect, and then only use that data for the purpose for which it was collected.

• Employ reasonable and appropriate security measures — with the bar for what this means going higher every day.

• Create a culture of privacy by default.

At Cloudflare, we believe in empowering individuals and entities of all sizes with technological tools to reduce the amount of personal data that gets funneled into the data ocean that is the Internet — regardless of whether someone lives in a country with laws protecting the privacy of their personal data. If we can build tools to help individuals share less personal data online, then that’s a win for privacy no matter what their country of residence.

In 2018, Cloudflare launched the 1.1.1.1 public DNS resolver — the Internet's fastest, privacy-first public DNS resolver. Our public resolver doesn’t retain any personal data about web requests. And because we baked anonymization best practices into the 1.1.1.1 resolver when we built it, we were able to demonstrate that we didn’t have any personal data to sell when we asked independent accountants to conduct a privacy examination of the 1.1.1.1 resolver. And when you combine our 1.1.1.1 public resolver with Warp, our VPN, then your Internet service provider can no longer see every site and app you use—even if they’re encrypted. Which means that even if they wanted to, the ISP can’t sell your data or use it to target you with ads.

We’ve also invested heavily in new technologies that aim to secure Internet traffic from bad actors; the prying eyes of ISPs or other man-in-the-middle machines that might find your Internet communications of interest for advertising purposes; or government entities that might want to crack down on individuals exercising their freedom of speech.

For example, DNS records are like the addresses on the outside of an envelope, and the website content you’re viewing is like the letter inside that envelope. In the snail mail world, courts have long recognized that the address on the outside of a letter doesn’t deserve as much privacy protection as the letter itself. But we’re not living in an age where the only thing someone can tell from the outside of the envelope are the “to” and “from” addresses and place of postage. The digital envelopes of DNS requests can contain much more information about a person than you might expect. Not only is there information about the sender and recipient addresses, but there is specific timestamp information about when requests were submitted, the domains and subdomains visited, and even how long someone stayed on a certain site. Since these digital envelopes contain so much personal information, we think it’s just as important to encrypt this information as to encrypt the contents of the digital letter inside. This is why we doubled down on DNS over HTTPS (DoH).

But we thought we could go further. We were an early supporter of Oblivious DoH (ODoH). ODoH is a proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time. ODoH requires a proxy as a key part of the communication path between client and resolver, with encryption ensuring that the proxy does not know the contents of the DNS query (only where to send it), and the resolver knowing what the query is but not who originally requested it (only the proxy’s IP address). This means the identity of the requester and the content of the request are unlinkable. This technology has formed the basis of Apple’s iCloud Private Relay system, which ensures that no single party handling user data has complete information on both who the user is and what they are trying to access. Cloudflare is proud to serve as a second relay for Apple Private Relay.

But wait - there’s more! We’ve also invested heavily in Oblivious HTTP (OHTTP), an emerging IETF standard and is built upon standard hybrid public-key cryptography. Our Privacy Gateway service relays encrypted HTTP requests and responses between a client and application server. With Privacy Gateway, Cloudflare knows where the request is coming from, but not what it contains, and applications can see what the request contains, but not where it comes from. Neither Cloudflare nor the application server has the full picture, improving end-user privacy.

We recently deployed Privacy Gateway for Flo Health Inc., a leading female health app, for the launch of their Anonymous Mode. With Privacy Gateway in place, all request data for Anonymous Mode users is encrypted between the app user and Flo, which prevents Flo from seeing the IP addresses of those users and Cloudflare from seeing the contents of that request data.

And in the area of analytics, we’ve developed a privacy-first, free web analytics tool. Popular analytics vendors glean visitor and site data in return for web analytics. With business models driven by ad revenue, many analytics vendors track visitor behavior on websites and create buyer profiles to retarget website visitors with ads. But we wanted to give our customers a better option, so they wouldn’t have to sacrifice their visitors’ privacy to get essential and accurate metrics on website usage. Cloudflare Web Analytics works by adding a JavaScript snippet to a website instead of using client-side cookies or instead of fingerprinting individuals using their IP address.

A key “privacy basic” that is also a fundamental element of almost all data protection legislation globally is the requirement to adopt reasonable and appropriate security measures for the personal data that is being processed. And as was the case with the most recent data breaches in Australia, if personal data is accessed without authorization, poor or failed security measures are often to blame.

Cloudflare's security services enable our customers to screen for cybersecurity risks on Cloudflare's network before those risks can reach the customer's internal network. This helps protect our customers and our customers’ data from a range of cyber threats. By doing so, Cloudflare's services are essentially fulfilling a privacy-enhancing function in themselves. From the beginning, we have built our systems to ensure that data is kept private, even from us, and we have made public policy and contractual commitments about keeping that data private and secure.

But beyond securing our network for the benefit of our customers, Cloudflare is most well-known for its application layer security services – Web Application Firewall (WAF), bot management, DDoS protection, SSL/TLS, Page Shield, and more. We also embrace the critical importance of encryption in transit. In fact, we see encryption as so important that in 2014, Cloudflare introduced Universal SSL to support SSL (and now TLS) connections to every Cloudflare customer. And at the same time, we recognize that blindly passing along encrypted packets would undercut some of the very security that we’re trying to provide. Data privacy and security are a balance. If we let encrypted malicious code get to an end destination, then the malicious code may be used to access information that should otherwise have been protected. If data isn’t encrypted in transit, it’s at risk for interception. But by supporting encryption in transit and ensuring malicious code doesn’t get to its intended destination, we can protect private personal information even more effectively.

Let’s take an example – In June 2022, Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products. Cloudflare responded immediately to roll out a new WAF rule for all of our customers. For customers without this WAF protection, all the trade secret and personal information on their instances of Confluence were potentially vulnerable to data breach. These types of security measures are critical to protecting personal data. And it wouldn’t have mattered if the personal data were stored on a server in Australia, Germany, the U.S., or India – the RCE vulnerability would have exposed data wherever it was stored. Instead, the data was protected because a global network was able to roll out a WAF rule immediately to protect all of its customers globally.

Some of the biggest data breaches in recent years have happened as a result of something pretty simple – an attacker uses a phishing email or social engineering to get an employee of a company to visit a site that infects the employee’s computer with malware or enter their credentials on a fake site that lets the bad actor capture the credentials and then use those to impersonate the employee and log into a company’s systems. Depending on the type of information compromised, these kinds of data breaches can have a huge impact on individuals’ privacy. For this reason, Cloudflare has invested in a number of technologies designed to protect corporate networks, and the personal data on those networks.

As we noted during our CIO week earlier this year, the FBI’s latest Internet Crime Report shows that business email compromise and email account compromise, a subset of malicious phishing campaigns, are the most costly – with U.S. businesses losing nearly $2.4 billion. Cloudflare has invested in a number of Zero Trust solutions to help fight this very problem:

• Link Isolation means that when an employee clicks a link in an email, it will automatically be opened using Cloudflare’s Remote Browser Isolation technology that isolates potentially risky links, downloads, or other zero-day attacks from impacting that user’s computer and the wider corporate network.

• With our Data Loss Prevention tools, businesses can identify and stop exfiltration of data.

• Our Area 1 solution identifies phishing attempts, emails containing malicious code, and emails containing ransomware payloads and prevents them from landing in the inbox of unsuspecting employees.

These Zero Trust tools, combined with the use of hardware keys for multifactor authentication, were key in Cloudflare’s ability to prevent a breach by an SMS phishing attack that targeted more than 130 companies in July and August 2022. Many of these companies reported the disclosure of customer personal information as a result of employees falling victim to this SMS phishing effort.

And remember the Atlassian Confluence RCE vulnerability we mentioned earlier? Cloudflare remained protected not only due to our rapid update of our WAF rules, but also because we use our own Cloudflare Access solution (part of our Zero Trust suite) to ensure that only individuals with Cloudflare credentials are able to access our internal systems. Cloudflare Access verified every request made to a Confluence application to ensure it was coming from an authenticated user.

All of these Zero Trust solutions require sophisticated machine learning to detect patterns of malicious activity, and none of them require data to be stored in a specific location to keep the data safe. Thwarting these kinds of security threats aren’t only important for protecting organizations’ internal networks from intrusion – they are critical for keeping large scale data sets private for the benefit of millions of individuals.

All the technologies we build are public examples of how at Cloudflare we put our money where our mouth is when it comes to privacy. We also want to tell you about the ways — some public, some not — we infuse privacy principles at all levels at Cloudflare.

• Employee education and mindset: An understanding of privacy is core to a Cloudflare employee’s experience right from the start. Employees learn about the role privacy and security play in helping to build a better Internet in their first weeks at Cloudflare. During the comprehensive employee orientation, we stress the role each employee plays in keeping the company and our customers secure. All employees are required to take annual data protection training, and we do targeted training for individual teams, depending on their engagement with personal data, throughout the year.

• Privacy in product development: Cloudflare employees take privacy-by-design seriously. We develop products and processes with the principles of data minimization, purpose limitation, and data security always front of mind. We have a product development lifecycle that includes performing privacy impact assessments when we may process personal data. We retain personal data we process for as short a time as necessary to provide our services to our customers. We do not track customers’ end users across sites. We don’t sell personal information. We don’t monetize DNS requests. We detect, deter, and deflect bad actors — we’re not in the business of looking at what any one person (or more specifically, browser) is doing when they browse the Internet. That’s not what we’re about.

• Certifications: In addition to the extensive internal security mechanisms we have in place to protect our customers’ data, we also have become certified under industry standards to demonstrate our commitment to data security. We hold the following certifications: ISO 27001, ISO 27701, ISO 27018, AICPA SOC2 Type II, FedRamp Moderate, PCI DSS 3.2.1, WCAG 2.1 AA and Section 508, C5:2020, and, most recently, the EU Cloud Code of Conduct.

• Privacy-focused response to government and third-party requests for information: Our respect for our customers' privacy applies with equal force to commercial requests and to government or law enforcement requests. Any law enforcement requests that we receive must strictly adhere to the due process of law and be subject to judicial oversight. We believe that U.S. law enforcement requests for the personal data of a non-U.S. person that conflict with the privacy laws of that person’s country of residence (such as Australia’s Privacy Act) should be legally challenged. We commit in our Data Processing Addendum that we will fight government data requests where such a conflict exists. In addition, it is our policy to notify our customers of a subpoena or other legal process requesting their customer or billing information before disclosure of that information, whether the legal process comes from the government or private parties involved in civil litigation, unless legally prohibited. We also publicly report on the types of requests we receive, as well as our responses, in our semi-annual Transparency Report. Finally, we publicly list certain types of actions that Cloudflare has never taken in response to government requests, and we commit that if Cloudflare were asked to do any of the things on this list, we would exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests.

Cloudflare is committed to fully support Australia’s privacy goals, and we are paying close attention to the current conversations around updating Australia’s privacy law and regulatory structure. And our 2023 roadmap includes focusing on the APEC Cross-Border Privacy Rules (CBPR) System as a way to demonstrate our continued commitment to global privacy and paving the way for beneficial cross-border data transfers.

Happy Privacy Awareness Week 2023!

Over the past 24 hours, Cloudflare has observed HTTP DDoS attacks targeting university websites in Australia. Universities were the first of several groups publicly targeted by the pro-Russian hacker group Killnet and their affiliate AnonymousSudan, as revealed in a recent Telegram post. The threat actors called for additional attacks against 8 universities, 10 airports, and 8 hospital websites in Australia beginning on Tuesday, March 28.

Killnet is a loosely formed group of individuals who collaborate via Telegram. Their Telegram channels provide a space for pro-Russian sympathizers to volunteer their expertise by participating in cyberattacks against western interests.

Figure: % of traffic constituting DDoS attacks for organizations in Australia

This is not the first time Cloudflare has reported on Killnet activity. On February 2,  2023 we noted in a blog that a pro-Russian hacktivist group — claiming to be part of Killnet — was targeting multiple healthcare organizations in the US. In October 2022, Killnet called to attack US airport websites, and attacked the US Treasury the following month.

As seen with past attacks from this group, these most recent attacks do not seem to be originating from a single botnet, and the attack methods and sources seem to vary, suggesting the involvement of multiple individual threat actors with varying degrees of skill.

DDoS (Distributed Denial of Service) attacks often make headlines due to their ability to disrupt critical services. Cloudflare recently announced that it had blocked the largest attack to date, which peaked at 71 million requests per second (rps) and was 54% higher than the previous record attack from June 2022.

DDoS attacks are designed to overwhelm networks with massive amounts of malicious traffic, and when executed correctly, can disrupt service or take networks offline. The size, sophistication, and frequency of attacks have been increasing over the past months.

Killnet is not a traditional hacking group: it does not have membership, it does not have tools or infrastructure, and it does not operate for financial gain. Instead, Killnet is a space for pro-Russian "hacktivist" sympathizers to volunteer their expertise by participating in cyberattacks against western interests. This collaboration happens entirely in the open via Telegram, where anyone is welcome to join.

Killnet was formed shortly after (and likely in response to) the IT Army of Ukraine, and it emulates their tactics. Most days, administrators of the Killnet telegram channel will put out a call for volunteers to attack some particular target. Participants share many different tools and techniques for launching successful attacks, and inexperienced individuals are often coached on how to launch cyber attacks by those who are more experienced.

AnonymousSudan is another nontraditional hacking group similar to Killnet who is ostensibly composed of Sudanese "hacktivists". The two groups have recently begun collaborating to attack various western interests.

Attackers, including from these groups, are becoming more audacious in  the size and scale of the organizations they are targeting. What this means for businesses, especially those with limited cyber resources, is an increasing threat level against vulnerable networks.

Organizations of all sizes need to be prepared for the eventuality of a significant DDoS attack against their networks. Detection and mitigation of attacks should ideally be automated as much as possible, because relying solely on humans to mitigate in real time puts attackers in the driver’s seat.

Cloudflare customers are protected against DDoS attacks; our systems have been automatically detecting and mitigating the attack. Our team continues to monitor the situation and will deploy countermeasures as needed.

As an additional step of precaution, customers in the Education, Travel, and Healthcare industries are advised to follow the below recommendations.

1. Ensure all other DDoS Managed Rules are set to default settings (High sensitivity level and mitigation actions).

2. Enterprise customers with Advanced DDoS should consider enabling Adaptive DDoS Protection.

3. Deploy firewall rules and rate-limiting rules to enforce a combined positive and negative security model. Reduce the traffic allowed to your website based on your known usage.

4. Turn on Bot Fight Mode or the equivalent level (SBFM, Enterprise Bot Management) available to you.

5. Ensure your origin is not exposed to the public Internet, i.e., only enable access to Cloudflare IP addresses.

6. Enable caching as much as possible to reduce the strain on your origin servers, and when using Workers, avoid overwhelming your origin server with more subrequests than necessary

7. Enable DDoS alerting.

As easy as it has become for the attackers to launch DDoS attacks, we want to make sure that it is even easier - and free - for defenders of organizations of all sizes to protect themselves against DDoS attacks of all types. We've been providing unmetered and unlimited DDoS protection for free to all of our customers since 2017. Cloudflare's mission is to help build a better Internet. A better Internet is one that is more secure, faster, and reliable for everyone - even in the face of DDoS attacks.

If you’d like to learn more about key DDoS trends, download the Cloudflare DDoS Threat Report for quarterly insights.

We have exciting news: Cloudflare closed out the decade by reaching our 200th city* across 90+ countries. Each new location increases the security, performance, and reliability of the 20-million-plus Internet properties on our network. Over the last quarter, we turned up seven data centers spanning from Chattogram, Bangladesh all the way to the Hawaiian Islands:

• Chattogram & Dhaka, Bangladesh. These data centers are our first in Bangladesh, ensuring that its 161 million residents will have a better experience on our network.

• Honolulu, Hawaii, USA. Honolulu is one of the most remote cities in the world; with our Honolulu data center up and running, Hawaiian visitors can be served 2,400 miles closer than ever before! Hawaii is a hub for many submarine cables in the Pacific, meaning that some Pacific Islands will also see significant improvements.

• Adelaide, Australia. Our 7th Australasian data center can be found “down under” in the capital of South Australia. Despite being Australia’s fifth-largest city, Adelaide is often overlooked for Australian interconnection. We, for one, are happy to establish a presence in it and its unique UTC+9:30 time zone!

• Thimphu, Bhutan. Bhutan is the seventh SAARC (South Asian Association for Regional Cooperation) country with a Cloudflare network presence. Thimphu is our first Bhutanese data center, continuing our mission of security and performance for all.

• St George’s, Grenada. Our Grenadian data center is joining the Grenada Internet Exchange (GREX), the first non-profit Internet Exchange (IX) in the English-speaking Caribbean.

We’ve come a long way since our launch in 2010, moving from colocating in key Internet hubs to fanning out across the globe and partnering with local ISPs. This has allowed us to offer security, performance, and reliability to Internet users in all corners of the world. In addition to the 35 cities we added in 2019, we expanded our existing data centers behind-the-scenes. We believe there are a lot of opportunities to harness in 2020 as we look to bring our network and its edge-computing power closer and closer to everyone on the Internet.

*Includes cities where we have data centers with active Internet ports and those where we are configuring our servers to handle traffic for more customers (at the time of publishing).

I’ve recently joined Cloudflare as Head of Australia and New Zealand (ANZ). This is an important time for the company as we continue to grow our presence locally to address the demand in ANZ, recruit local talent, and build on the successes we’ve had in our other offices around the globe. In this new role, I’m eager to grow our brand recognition in ANZ and optimise our reach to customers by building up my team and channel presence.

I’m a Melburnian born and bred (most livable city in the world!) with more than 20 years of experience in our market. From guiding strategy and architecture of the region’s largest resources company, BHP, to building and running teams and channels, and helping customers solve the technical challenges of their time, I have been in, or led, businesses in the ANZ Enterprise market, with a focus on network and security for the last six years.

I joined Cloudflare because I strongly believe in its mission to help build a better Internet, and believe this mission, paired with its massive global network, will enable the company to continue to deliver incredibly innovative solutions to customers of all segments.

Four years ago, I was lucky to build and lead the VMware Network & Security business, working with some of Cloudflare’s biggest ANZ customers. I was confronted with the full extent of the security challenges that ANZ businesses face. I recognized that there must be a better way to help customers secure their local and multi-cloud environments. That's how I found Cloudflare. With Cloudflare's Global Cloud Platform, businesses have an integrated solution that offers the best in security, performance and reliability.

Second, something that’s personally important for me as the son of Italian migrants, and now a dad of two gorgeous daughters, is that Cloudflare is serious about culture and diversity. When I was considering joining Cloudflare, I watched videos from the Internet Summit, an annual event that Cloudflare hosts in its San Francisco office. One thing that really stood out to me was that the speakers came from so many different backgrounds.

I’m extremely passionate about encouraging those from all walks of life to pursue opportunities in business and tech, so seeing the diversity of people giving insightful talks made me realise that this was a company I wanted to work for, and hopefully perhaps my girls as well (no pressure).

I strongly believe that Cloudflare’s mission, paired with its massive global network, will enable customers of all sizes in segments in Australia and New Zealand to leverage Cloudflare’s security, performance and reliability solutions.

For example, VicRoads is 85 percent faster now that they are using Argo Smart Routing, Ansarada uses Cloudflare’s WAF to protect against malicious activity, and MyAffiliates harnesses Cloudflare’s global network, which spans more than 180 cities in 80 countries, to ensure an interruption-free service for its customers.

Making security and speed, which are necessary for any strong business, available to anyone with an Internet property is truly a noble goal. That’s another one of the reasons I’m most excited to work at Cloudflare.

Australians and Kiwis alike have always been great innovators and users of technology. However, being so physically isolated (Perth is the most isolated city in the world and ANZ are far from pretty much everywhere else in the world) has limited our ability to have the diversity of choice and competition. Our isolation from said choice and competition fueled innovation, but at the price of complexity, cost, and ease. This makes having local servers absolutely vital for good performance. With Cloudflare’s expansive network, 98 percent of the Internet-connected developed world is located within 100 milliseconds of our network. In fact, Cloudflare already has data centers in Auckland, Brisbane, Melbourne, Perth, and Sydney, ensuring that customers in ANZ have access to a secure, fast, and reliable Internet.

I’m truly looking forward to helping Cloudflare grow its reach over the next five years. If you are a business in Australia and New Zealand and have a cyber-security, performance or reliability need, get in touch with us (1300 748 959). We’d love to explore how we can help.

If you’re interested in exploring careers at Cloudflare, we are hiring globally. Our team in Australia is small today, about a dozen, and we are growing quickly. We have open roles in Solutions Engineering and Business Development Representatives. Check out our careers page to learn more, or send me a note.

When I started, I spoke about growing our brand recognition in Asia and optimizing our reach to clients by building up teams and channel partners. I also mentioned a key reason behind my joining was Cloudflare’s mission to help build a better Internet and focus on democratizing Internet tools that were once only available to large companies. I’m delighted to share that we’ve made great progress and are in a strong position to continue our rapid growth. It’s been a wonderful year, and I’m thrilled that I joined the company.

There has been a lot going on in our business, as well as in the region. Let’s start with Cloudflare Asia.

Our Singapore team has swelled from 40 people from 11 countries to almost 100 people from 19 nations. Our team is as diverse as our client base and keeps the office lively and innovative.

The Cloudflare Singapore Team

The number of Asian businesses choosing to work with us has more than doubled. You can check out what we’ve been doing with companies like Carousell, Vicroads, and 9GAG. Our relationships span all across the region, from India to Japan, from small business to large organizations, from startups to governments, and a wide variety of verticals from e-commerce to financial services.

To further expand our reach, we signed eight new partners representing seven markets and are in discussion with select others. We even held our first partner enablement bootcamp recently which was a big success.

Our First Partner Bootcamp in Asia

We moved into a larger and wonderful office in Singapore. Customers can come to Frasers Tower to see our Network Operations Center and stunning view of the city. We celebrated this new office and Asian Headquarters opening with two events where our co-founder and COO, Michelle Zatlyn presided. Dignitaries from the Singapore Economic Development Board, Singapore Cyber Security Association and the American Embassy cut the ribbon, and hundreds of customers, partners and friends joined us to kick off the Lunar New Year.

Celebrating our new office opening in Feb 2019

We have a wonderful community space that we are sharing for meet-ups. Developers, interest groups, and others from the community are welcome to use it. The first group to take advantage of this was IndoTech, a community of Indonesian professionals living in Singapore, who work in tech.

IndoTech meetup at the Cloudflare events space 

Asia is a large region and we are thrilled to expand to Australia. We have many local customers like AfterpayTouch, Fitness and Lifestyle Group, and the NIB group. We have run Worker focused meetups in Sydney and Melbourne as part of our Real World Serverless roadshow and shared what we learned about Noise on the Internet with 1.1.1.1 at AusNOG and NZNog. Today, we are announcing our expanded Australia presence. Incorporating into a new country is a big step and we’ve taken it. This is a good time to mention that we are hiring. If you want to join Cloudflare in Sydney, please get in touch.

Cloudflare has 165 data centers around the world. Since I’ve joined a year ago, we’ve added 46 cities globally, including 15 in APAC. We now have data centers in Pakistan and Vietnam. Around 20% of Cloudflare’s globally distributed network is in Asia.

We’ve added a number of great products, which can be found on our blog. Some additions that are especially pertinent to the region include adding UDP capability to Spectrum. Gaming clients typically use custom protocols based on UDP, which legacy systems don’t effectively protect. So our expansion of Spectrum has been eagerly received by the many mobile game developers across the region. Indeed, gamers have been using Spectrum even prior to this launch. One example is a mobile game producer where we protect their login/authentication servers that are TCP-based to mitigate DDoS attacks for the purpose of keeping their servers online for players to be able to log in and play.

The world is moving to serverless computing and Cloudflare is leading the way. Many of the companies in APAC are on the forefront of this trend and are leveraging Cloudflare to improve their infrastructure. One client is using Cloudflare Workers to speed up and improve capture rates of their analytics engine.

From a regional perspective, many countries in Asia are encouraging businesses to be digital-ready.  Governments around the region are spearheading programs to help SMEs (small and medium-sized enterprises), corporations and government departments take advantage of technology and innovation to capture economic gains. For example, Singapore announced SMEsGoDigital as part of the 2017 budget and Thailand recently launched the Thailand 4.0 initiative.

In addition, one interesting aspect of the Asian market is that a higher percentage of companies are using multi-cloud architecture. Whether it’s because these  companies need to cover different countries where one of the large cloud providers (eg AWS, Google Cloud, Microsoft Azure, Alicloud or IBM) is stronger than others, or because companies want to avoid “vendor lock-in”, many companies end up using several cloud compute partners.

Needless to say, it has been an exciting year. I am proud of what we have accomplished and looking forward to what we have left to do.

Given all this opportunity for growth, our team in Singapore is hiring! We have roles in Systems Reliability Engineering, Network Engineering, Technical Support Engineering, Solutions Engineering, Customer Success Engineering, Recruiting, Account Executives, Business Development Representatives, Sales Operations, Business Operations, and beyond. Check out our careers page.

CC BY-SA 2.0 image by Quinn Dombrowski

Two years ago, we previewed the relative cost of bandwidth that we see in different parts of the world. Bandwidth is the largest recurring cost of providing our service. Compared with Europe and North America, there were considerably higher Internet costs in Australia, Asia and Latin America. Even while bandwidth costs tend to trend down over time, driven by competition and decreases in the costs of underlying hardware, we thought it might be interesting to provide an update.

Since August 2014, we have tripled the number of our data centers from 28 to 86, with more to come. CloudFlare hardware is also deployed in new regions such as the Middle East and Africa. Our network spans multiple countries in each continent, and, sometimes, multiple cities in each country.

Traffic across 86 data centers in the CloudFlare network

There are approximately thirteen networks called “Tier 1 networks” (e.g., Telia, GTT, Tata, Cogent) who sell “transit” to access any of thousands of other networks on the Internet using their global backbones, including networks who are not their customers. We connect to networks by either purchasing transit from a global "Tier 1 network" (or major regional network), or by exchanging traffic directly with a carrier or ISP using “peering”. Typically, peered traffic is exchanged without settlement between the peered parties.

We try to make it as easy as possible for networks to interconnect with us. CloudFlare has an “open peering” policy, and participates at nearly 150 internet exchanges, more than any other company.

As a benchmark, let's assume the cost of transit in Europe and North America is 10 units (per Mbps). With that benchmark in place, without disclosing exact pricing, we can compare regions by transit cost, percentage of peering, and their effective blended cost (transit + peering).

Europe Transit vs Peering (Last 30 Days)

Based on our benchmark, the transit cost is 10 units. The region has a large number of Internet exchanges, typically non-profit, where we peer around 60% of our traffic. This makes for an effective regional cost of 4 units.

With perhaps the notable exception of the incumbent in Germany, many networks are supportive of open interconnection. CloudFlare already participates at 40 European internet exchanges, and is in the process of joining at least five more.

North America Transit vs Peering (Last 30 Days)

The cost of transit in North America is equal to the cost in Europe, or 10 units. We peer around 40% of our traffic, resulting in an effective regional cost of 6 units.

The level of peering in North America is less than in Europe, but a significant improvement over two years ago. The share of peered traffic is expected to grow. Some material changes have occurred and are occurring in the North American market, such as Frontier acquiring Verizon FiOS customers in three U.S. States and Charter preparing to merge with Time Warner Cable. We can see these changes making an impact to the regional interconnection landscape.

Notably, our peering has particularly grown in smaller regional locations, closer to the end visitor, leading to an improvement in performance. This could be through private peering, or via an interconnection point such as the Midwest Internet Cooperative Exchange (MICE) in Minneapolis.

Africa Transit vs Peering (Last 30 Days)

Transit prices in Africa are amongst the highest in the world at 14 times the benchmark or 140 units, with notable variance across the continent, from Cairo to Mombasa to Johannesburg. Fortunately, of the traffic that we are currently able to serve locally in Africa, we manage to peer about 90% (with a mix of carriers and ISPs), making for an effective cost of 14 units.

Our African deployments help us avoid the significant latency of serving websites from London, Paris or Marseille. A particularly promising but challenging region where we hope to deploy a CloudFlare data center is West Africa - specifically Nigeria, which is already at just under 100 million Internet users.

Middle East Transit vs Peering (Last 30 Days)

CloudFlare currently has four data centers in the Middle East, each of which are cache deployments with strategic ISP partners to serve their respective customers. We are able to peer all the traffic currently served from these data centers. While these collectively provide significant coverage, there is additional traffic (reaching Europe) that we would like to localize in the region. We hope that the remaining ISPs, such as Saudi Telecom Company, deploy similar caches, and enhance the performance of their customers.

Because we can peer 100% of our traffic in the Middle East, our effective pricing for bandwidth in the region is 0 units. There are, of course, other costs to delivering our service beyond bandwidth. However, by driving up peering rates in the Middle East we’ve been able to make our service in the Middle East extremely cost competitive.

Asia Transit vs Peering (Last 30 Days)

In Asia (excluding the Middle East), transit costs 7 times times the benchmark, or 70 units. However, we peer about 60% of our traffic, resulting in an effective cost of 28 units.

Beyond the major meeting points in Hong Kong, Singapore and Tokyo, a significant portion of our interconnection is localized to take place closer to visitors in cities such as Bangkok, Chennai, Kuala Lumpur, Mumbai, Osaka, New Delhi, Seoul, and Taipei. These statistics do not include our network of strategically located data centers inside of mainland China, where the dynamics of interconnection are entirely unique.

Two Asian locations stand out as being especially expensive: Seoul and Taipei. In these markets, with powerful incumbents (Korea Telecom and HiNet), transit costs 15x as much as in Europe or North America, or 150 units.

South Korea is perhaps the only country in the world where bandwidth costs are going up. This may be driven by new regulations from the Ministry of Science, ICT and Future Planning, which mandate the commercial terms of domestic interconnection, based on predetermined “Tiers” of participating networks. This is contrary to the model in most parts of the world, where networks self-regulate, and often peer without settlement. The government even prescribes the rate at which prices should decrease per year (-7.5%), which is significantly slower than the annual drop in unit bandwidth costs elsewhere in the world. We are only able to peer 2% of our traffic in South Korea.

If you include HiNet and Korea Telecom in our blended bandwidth pricing, and take into account peering, our effective price is 28 units. If you exclude HiNet and Korea Telecom, our effective price is 14 units.

South America Transit vs Peering (Last 30 Days)

Transit prices in South America are very high, costing 17 times the benchmark, or 170 units. We peer about 60% of traffic in South America, making for an effective cost of 68 units.

One of the reasons that transit prices are high is that the Tier 1 networks which are newer entrants to this region have yet to pick up significant market share. While markets such as Brazil are less expensive and have greater peering, costs are highest in countries such as Peru and Argentina where, in each, a single incumbent provider, respectively Telefonica and Telecom Argentina, controls access for the last mile delivery of content to the majority of Internet users.

As we try to increase our share of peered traffic, one of the challenges we face is that many Internet exchanges (e.g., NAP Colombia) only permit domestically incorporated and licensed networks to publicly peer, or in another case, require a unanimous vote of all members on an IX to permit a new participant, effectively creating a separation between “international content” and “domestic content”.

If you include Telecom Argentina and Telefonica, our blended cost of bandwidth in South America is 68 units. If you exclude these two providers then our blended cost is 17 units.

Oceania Transit vs Peering (Last 30 Days)

Transit prices in Oceania (Australia and New Zealand) are lower than they used to be, but continue to be extremely high in relative terms, costing 17 times the benchmark from Europe, or 170 units. We peer 50% of our traffic, resulting in an effective cost of 85 units.

If you exclude Optus and Telstra, then the price falls to 17 units — because we peer with nearly everyone else.

Relative Cost of Bandwidth

CloudFlare has always optimized where we serve customers to take into account our effective costs. If you are a free customer using an excessive amount of expensive transit, we would serve you from fewer regions. The good news is that, over the last five years, we’ve been able to negotiate reasonable transit pricing or settlement-free peering with the vast majority of the world’s networks. That allows us to continue to provide the free version of our service as well as to keep prices low for all our paid services.

Today, however, there are six expensive networks (HiNet, Korea Telecom, Optus, Telecom Argentina, Telefonica, Telstra) that are more than an order of magnitude more expensive than other bandwidth providers around the globe and refuse to discuss local peering relationships. To give you a sense, these six networks represent less than 6% of the traffic but nearly 50% of our bandwidth costs.

While we’ve tried to engage all these providers to reduce their extremely high costs and ensure that even our Free customers can be served across their networks, we’ve hit an impasse. To that end, unfortunately, we’ve made the decision that the only thing that will change these providers’ pricing is to make it clear how out of step they are with the rest of the world. To demonstrate this, we’ve moved our Free customers off these six transit providers. Free customers will still be accessible across our network and served from another regional cache with more reasonable bandwidth pricing.

Ironically, this actually increases the cost to several of these providers because they now need to backhaul traffic to another CloudFlare data center and pay more in the process. For instance, if Telstra were to peer with CloudFlare then they would only have to move traffic over about 30 meters of fiber optic cable between our adjoining cages in the same data center. Now Telstra will need to backhaul traffic to Free customers to Los Angeles or Singapore over expensive undersea cables. Their behavior is irrational in any competitive market and so it is not a surprise that each of these providers is a relative monopolist in their home market.

If you’re a Free CloudFlare customer who cares about optimizing the best possible performance from one of these six providers then we encourage you to reach out to them and encourage them to follow a core principle of a free and open Internet and not abuse their monopoly position. We are committed to serving all our customers across every network that peers with us. To that end, help us convince these six networks to be on the right side of a free and open Internet by reaching out to your ISP.

• Ask HiNet to peer with CloudFlare in Taipei

• Ask Korea Telecom to peer with CloudFlare in Seoul

• Ask Optus to peer with CloudFlare across Australia

• Ask Telecom Argentina to peer with CloudFlare in Buenos Aires

• Ask Telefonica to peer with CloudFlare across South America

• Ask Telstra to peer with CloudFlare across Australia

We’ll post updates as we negotiate with these six networks and are hopeful that we’ll soon be able to serve all our customers across all the networks we interconnect with.

CloudFlare is excited to announce the launch of our newest data center in Perth, Australia. This expands the breadth of our global network to span 80 unique cities across 41 countries, and is our fourth data center in the Oceania region, joining existing data centers in Sydney, Melbourne and Auckland.

Perth is in a fascinating location. Home to sunny beaches and the highest number of self-made millionaires in the world, it is actually geographically closer to Singapore than to Sydney (though closer to Sydney in a “networking” sense, as determined by BGP routing).

Visitors to millions of websites across Western Australia served locally can now experience a faster and safer Internet - and ISPs can reach us at the Western Australia Internet Exchange (WA-IX), one of 119 internet exchanges that we openly peer at.

Latency in milliseconds from end user (Perth) to CloudFlare. Source: Cedexis

Helping build CloudFlare’s network provides our team members with the opportunity to not just speed up the Internet, but also improve our sense of geography. Visitors to our offices in San Francisco, London and Singapore can get a sneak peek at our fast-changing map (with live and upcoming dots). Perth is now “green” (live).

Network Map at CloudFlare office in San Francisco

CloudFlare now has data centers in cities beginning with most letters:A: Amsterdam, Ashburn, Atlanta, AucklandB: Bangkok, Berlin, Bucharest, Buenos AiresC: Cairo, Chengdu, Chennai, Chicago, CopenhagenD: Dallas, Doha, Dongguan, Dubai, Dublin, DusseldorfF: Frankfurt, Foshan, FuzhouG: GuangzhouH: Hamburg, Hangzhou, Hengyang, Hong KongJ: Jiaxing, JohannesburgK: Kiev, Kuala Lumpur, Kuwait CityL: Langfang, Lima, London, Luoyang, Los AngelesM: Madrid, Manchester, Marseille, Medellin, Melbourne, Miami, Milan, Minneapolis, Mombasa, Montreal, Mumbai, MuscatN: Nanning, New Delhi, NewarkO: Osaka, OsloP: Paris, Perth, Phoenix, PragueQ: QingdaoS: San Jose, Sao Paulo, Seattle, Seoul, Shenyang, Shijiazhuang, Singapore, Sofia, Stockholm, SydneyT: Taipei, Tianjin, Tokyo, TorontoV: Valparaiso, Vancouver, ViennaW: WarsawX: Xi’anZ: Zhengzhou, ZurichIf you know of a city beginning with any of the missing letters that could benefit from a faster Internet, please let our team know!

Photo sources: Daniel Lee (Flickr) and Cedexis

The genesis of our 33rd and 34th data centers in Auckland and Melbourne started a short hop away in nearby Sydney. Prior to these deployments traffic from all of New Zealand and Australia's collective 23 million Internet users was routed through CloudFlare's Sydney data center. Even for those in faraway Perth, the time necessary to reach our Sydney PoP was a mere 55ms of round trip time (RTT). By comparison, the blink of an eye takes 300-400ms. In other words, latency wasn't exactly the pressing concern. The real concern was a failure scenario in our Sydney data center.

Fortunately, our entire architecture starts with an assumption: failure is going to happen. As a result, we plan for failure at every level and have designed a system to gracefully handle it when it occurs. Even though we now maintain multiple layers of redundancy—from power supplies and power circuits to line cards, routing engines and network providers—our ultimate level of redundancy is in the ability to fail out an entire data center in favor of another. In the past we've even written about how this might even play out in the case of a global thermonuclear war. In this instance, the challenge we set out to solve was not how to fail gracefully, but how to fail gracefully without materially increasing latency for the millions of applications that depend on our network in the Oceania region.

Prior to our Auckland and Melbourne data centers, a failure in Sydney meant a shift in traffic to the West Coast of the US or Southeast Asia adding significant, and noticeable, latency to our users' applications (spoiler: it now fails over to Auckland and Melbourne with minimal latency!). But before we get to how the Kiwi's and Australia's "second city" saved the day, it is important to understand how the Internet "works" in Oceania. As we set out to create resiliency in-region, we considered several options:

At first blush a second facility in Sydney would seem to solve most imaginable failure scenarios (perhaps save a nuclear one). However, when it comes to the Internet, things are rarely intuitive. Australia, at least in the context of the Internet, is very Sydney-centric. The vast majority of traffic from Australia to the rest of the Internet passes through a single data center (which just so happens to be the same exact facility in which we are currently located). Even if we were to make a redundant deployment in a completely separate facility, traffic to that facility would still have to pass through the same potential point of failure: our current facility. Not to mention, a second facility in Sydney would neither reduce latency and improve performance for a larger subset of Internet users in the region nor localize our traffic any further than it already was. It also wouldn't have opened up any new peering opportunities which, as we've explained in a prior blog post, is of immense importance to the performance and overall health of our network.

Not enough redundancy. No performance gain from status quo.

Out of left pitch came Auckland. Although not an obvious choice, Auckland is rather uniquely situated to provide redundancy in-region as a result of how many operators have constructed their networks: by building or buying a 3 drop ring between New Zealand-Australia, Australia-USA, and USA-New Zealand.

Because traffic is only heavily utilized in one direction, towards New Zealand, this leaves a lot of free capacity between New Zealand-Australia (i.e. from New Zealand). After working with various providers, we've structured a solution that allows us to reduce latency and further localize traffic for Internet users in New Zealand while also allowing for full redundancy between both Auckland, Sydney and the rest of Oceania. Not to mention, CloudFlare is now a member of New Zealand's largest peering exchange, APE-IX.

Redundancy and performance gains versus the status quo.

But why stop there?

Despite achieving the desired level of redundancy and performance gains in New Zealand through our own version of the Trans-Tasman arrangement, we figured that both Kiwi’s and Aussies would prefer not to have the others' redundancy deposited at their doorstep. So, along came Melbourne as a complement to Auckland. Our Melbourne data center offers the same benefits of content localization and performance improvement for Internet users south of the border, as well as domestic redundancy in the case of a data center failure.

Latency improvement and additional redundancy.

Problem solved, right? Almost...

The Auckland fiber situation is an interesting one. Auckland is situated around a harbour. Over this harbour is a bridge which most of the fiber in the city runs across, with a small amount running via a much longer path around the harbour (think 30km longer fiber runs). Purchasing fiber between the areas of the city separated by the harbour costs more than a Kim Dotcom political party (i.e. a lot of money).

The bulk of the country's Internet providers (particularly the smaller ones) exist only south of the harbour bridge. The cable landing stations and many of the data centers, on the other hand, only exist north of the harbour bridge. If you are as performance obsessed as we are, you want to be south of the bridge so that you can peer with all networks in as inexpensive, resilient and easy manner as possible. But for us, the vetting process didn't stop there. The specific site we selected is the core node for most major New Zealand transit providers, allows us to interconnect with nearly every provider from within the same facility, and hosts a core node of the local peering exchange.

Now that our Auckland DC is live, some users in New Zealand may notice that their ISPs continue to route to CloudFlare in Sydney. That makes no sense you say!? We agree! Despite our best efforts, it takes two to tango. Should this be the case with your ISP, let them know...hopefully that will spark a conversation.

In the coming weeks, connectivity to CloudFlare in Australia is going to a new level. As part of CloudFlare’s ongoing upgrades program, we established connections to three new Internet exchanges: the Megaport Internet exchanges in Sydney, Brisbane, and Melbourne. These connections doubled the number of Australian Internet exchanges we reach and marked the first exchanges outside of Sydney that Cloudflare participates in.

When two ISPs peer, they agree to exchange traffic directly between each other rather than sending it a third party. By doing this, both partners avoid congested paths between transit providers, and they avoid paying to ship traffic—it's win-win!

What peering exchanges mean for CloudFlare is that we can significantly increase our service performance to users on ISPs that peer with us. Take Australia for example, for users who are currently on ISPs peering at Megaport, instead of CloudFlare sending traffic to the transit providers of those ISPs, we can now route the traffic directly to them. The result is lower latency, and traffic taking paths that are often less congested.

Low latency is crucial for internet speed due to the nature of TCP, the fundamental protocol on which the internet is built. TCP operates in such a way that any packet loss from a congested transit link will significantly slow a connection, and, conversely, connections with reduced latency will hugely amplify performance for end users. Therefore, by moving traffic to less congested, more direct "pipes" on the internet, CloudFlare is creating a faster web.

CloudFlare understands the importance of peering, and our team has put considerable time and effort into finding peering partners as our network expands. We peer as much as possible, both by participating at internet exchanges, and by establishing direct interconnects with ISPs.

As I write, we’re in the process of deploying equipment to many new data centers around the globe, and extending our network to reach more peering exchanges. In addition to the twenty-eight plus internet exchanges where CloudFlare already peers, we will soon be participating at: Terremark São Paulo, PTT-SP (São Paulo Brazil), EspanIX, FranceIX, MIX, NetNod, JPNAP, and, of course, Megaport. We’re also constantly commissioning new private interconnects with a range of eyeball networks.

CloudFlare is building a better web, and part of that project includes reducing the distance packets travel between you and your ISP. As the months go by, our network is expanding around the globe, and more of our traffic is sent through peering partners. The result? Faster and more reliable content delivery to our users.

CloudFlare's commitment to finding the most direct path over the internet to deliver your traffic, and, as the reach of our network expands, you can expect that our service will only get better.

CloudFlare maintains an open peering policy. Our peering details can be found here. Please contact us if you are an ISP on any of the IXs we participate in and would like to peer.

Over the next few weeks, CloudFlare will be significantly expanding our global network. In total, we'll be adding 9 new data centers and doubling the size of our existing facility in London. When we're done we'll have 23 global data centers and nearly 70% more network capacity. I'm excited to announce the first of these 9 new facilities just came online: Sydney, Australia.

We choose the locations of our data centers in large part based on where we can most improve network performance. Australia has been one of the problematic regions for network providers. In CloudFlare's case, traffic from Australia has been served from our Singapore or Los Angeles facilities. In either case, ping times were over 160 milliseconds. With our new Sydney facility, ping times from Australia and New Zealand are now averaging under 40 milliseconds.

The challenge of opening a facility in Australia has been the cost. Bandwidth is in the region is notoriously expensive. We talked with bandwidth providers for almost a year without much luck. Finally, Tom, a CloudFlare network engineer who happens to be Australian, suggested we watch the movie The Castle. After that, whenever we'd get a call from a bandwidth provider in the region, Tom would ask them, "How much?" He'd relay the price to me and I'd simply say, "Tell 'em they're dreamin'."

Anyway, the rest played out pretty much just like in The Castle. We eventually wore down the big, bad bandwidth providers. And, without having to kick anyone out of their home, we now have found one of our own down under.

The new routes are propagating now and all Australia and New Zealand traffic should be hitting Sydney within the next 24 hours. If you're in the region and the Internet starts feeling faster, now you'll know why. Stay tuned here for updates as we turn on the rest of the 9 new data centers over the next few weeks.