CINXE.COM
Jesse Kipp
<!doctype html> <html lang="en-us" dir="ltr"> <head> <base href="https://blog.cloudflare.com/author/jesse/"> <script async src="https://ot.www.cloudflare.com/public/vendor/onetrust/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" data-domain-script="b1e05d49-f072-4bae-9116-bdb78af15448"></script> <meta name="HandheldFriendly" content="True"> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="baidu-site-verification" content="KeThzeyMOr"> <meta name="baidu-site-verification" content="code-NIlrS7gNhx"> <meta charset="UTF-8"> <meta name="description" content="Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet."> <title>Jesse Kipp</title> <meta name="title" content="Jesse Kipp"> <meta name="msvalidate.01" content="CF295E1604697F9CAD18B5A232E871F6"> <meta class="swiftype" name="language" data-type="string" content="en"> <script src="/static/z/i.js" type="text/javascript" referrerpolicy="origin"></script> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="apple-touch-icon" sizes="180x180" href="/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-32x32.png"> <link rel="mask-icon" href="/images/favicon-32x32.png" color="#f78100"> <link rel="stylesheet" href="/themes/ashes.min.css"> <link rel="sitemap" href="/sitemap.xml"> <meta name="msapplication-TileColor" content="#da532c"> <meta name="theme-color" content="#ffffff"> <link rel="canonical" href="https://blog.cloudflare.com/author/jesse/"> <link rel="alternate" type="application/rss+xml" title="Cloudflare Jesse RSS Feed" href="/author/jesse/rss"> <link rel="alternate" hreflang="en-us" href="https://blog.cloudflare.com/author/jesse/"> <link rel="alternate" hreflang="de-de" href="https://blog.cloudflare.com/de-de/author/jesse/"> <link rel="alternate" hreflang="es-es" href="https://blog.cloudflare.com/es-es/author/jesse/"> <link rel="alternate" hreflang="fr-fr" href="https://blog.cloudflare.com/fr-fr/author/jesse/"> <link rel="alternate" hreflang="it-it" href="https://blog.cloudflare.com/it-it/author/jesse/"> <link rel="alternate" hreflang="ja-jp" href="https://blog.cloudflare.com/ja-jp/author/jesse/"> <link rel="alternate" hreflang="ko-kr" href="https://blog.cloudflare.com/ko-kr/author/jesse/"> <link rel="alternate" hreflang="zh-tw" href="https://blog.cloudflare.com/zh-tw/author/jesse/"> <link rel="alternate" hreflang="zh-cn" href="https://blog.cloudflare.com/zh-cn/author/jesse/"> <link rel="alternate" hreflang="ru-ru" href="https://blog.cloudflare.com/ru-ru/author/jesse/"> <link rel="alternate" hreflang="pl-pl" href="https://blog.cloudflare.com/pl-pl/author/jesse/"> <link rel="alternate" hreflang="nl-nl" href="https://blog.cloudflare.com/nl-nl/author/jesse/"><!-- General Meta Tags --> <meta property="article:publisher" content="https://www.facebook.com/cloudflare"><!-- Facebook Meta Tags --> <meta property="og:site_name" content="The Cloudflare Blog"> <meta property="og:type" content="profile"> <meta property="og:title" content="Jesse Kipp - The Cloudflare Blog"> <meta property="og:description" content="Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet."> <meta property="og:url" content="https://blog.cloudflare.com/author/jesse/"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="628"><!-- Twitter/X Meta Tags --> <meta name="twitter:title" content="Jesse Kipp - The Cloudflare Blog"> <meta name="twitter:description" content="Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet."> <meta name="twitter:url" content="https://blog.cloudflare.com/author/jesse/"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@cloudflare"> <meta property="og:image"> <meta name="twitter:image"> <link rel="stylesheet" href="/_astro/index.Bpd2cWaZ.css"> <style>astro-island,astro-slot,astro-static-slot{display:contents}</style> <script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).only=e;window.dispatchEvent(new Event("astro:only"));})();;(()=>{var A=Object.defineProperty;var g=(i,o,a)=>o in i?A(i,o,{enumerable:!0,configurable:!0,writable:!0,value:a}):i[o]=a;var d=(i,o,a)=>g(i,typeof o!="symbol"?o+"":o,a);{let i={0:t=>m(t),1:t=>a(t),2:t=>new RegExp(t),3:t=>new Date(t),4:t=>new Map(a(t)),5:t=>new Set(a(t)),6:t=>BigInt(t),7:t=>new URL(t),8:t=>new Uint8Array(t),9:t=>new Uint16Array(t),10:t=>new Uint32Array(t),11:t=>1/0*t},o=t=>{let[l,e]=t;return l in i?i[l](e):void 0},a=t=>t.map(o),m=t=>typeof t!="object"||t===null?t:Object.fromEntries(Object.entries(t).map(([l,e])=>[l,o(e)]));class y extends HTMLElement{constructor(){super(...arguments);d(this,"Component");d(this,"hydrator");d(this,"hydrate",async()=>{var b;if(!this.hydrator||!this.isConnected)return;let e=(b=this.parentElement)==null?void 0:b.closest("astro-island[ssr]");if(e){e.addEventListener("astro:hydrate",this.hydrate,{once:!0});return}let c=this.querySelectorAll("astro-slot"),n={},h=this.querySelectorAll("template[data-astro-template]");for(let r of h){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("data-astro-template")||"default"]=r.innerHTML,r.remove())}for(let r of c){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("name")||"default"]=r.innerHTML)}let p;try{p=this.hasAttribute("props")?m(JSON.parse(this.getAttribute("props"))):{}}catch(r){let s=this.getAttribute("component-url")||"<unknown>",v=this.getAttribute("component-export");throw v&&(s+=` (export ${v})`),console.error(`[hydrate] Error parsing props for component ${s}`,this.getAttribute("props"),r),r}let u;await this.hydrator(this)(this.Component,p,n,{client:this.getAttribute("client")}),this.removeAttribute("ssr"),this.dispatchEvent(new CustomEvent("astro:hydrate"))});d(this,"unmount",()=>{this.isConnected||this.dispatchEvent(new CustomEvent("astro:unmount"))})}disconnectedCallback(){document.removeEventListener("astro:after-swap",this.unmount),document.addEventListener("astro:after-swap",this.unmount,{once:!0})}connectedCallback(){if(!this.hasAttribute("await-children")||document.readyState==="interactive"||document.readyState==="complete")this.childrenConnectedCallback();else{let e=()=>{document.removeEventListener("DOMContentLoaded",e),c.disconnect(),this.childrenConnectedCallback()},c=new MutationObserver(()=>{var n;((n=this.lastChild)==null?void 0:n.nodeType)===Node.COMMENT_NODE&&this.lastChild.nodeValue==="astro:end"&&(this.lastChild.remove(),e())});c.observe(this,{childList:!0}),document.addEventListener("DOMContentLoaded",e)}}async childrenConnectedCallback(){let e=this.getAttribute("before-hydration-url");e&&await import(e),this.start()}async start(){let e=JSON.parse(this.getAttribute("opts")),c=this.getAttribute("client");if(Astro[c]===void 0){window.addEventListener(`astro:${c}`,()=>this.start(),{once:!0});return}try{await Astro[c](async()=>{let n=this.getAttribute("renderer-url"),[h,{default:p}]=await Promise.all([import(this.getAttribute("component-url")),n?import(n):()=>()=>{}]),u=this.getAttribute("component-export")||"default";if(!u.includes("."))this.Component=h[u];else{this.Component=h;for(let f of u.split("."))this.Component=this.Component[f]}return this.hydrator=p,this.hydrate},e,this)}catch(n){console.error(`[astro-island] Error hydrating ${this.getAttribute("component-url")}`,n)}}attributeChangedCallback(){this.hydrate()}}d(y,"observedAttributes",["props"]),customElements.get("astro-island")||customElements.define("astro-island",y)}})();</script> <meta http-equiv="X-Translated-By" content="Google"> <meta http-equiv="X-Translated-To" content="de"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.tKc6KWkFf-8.O/am=gAE/d=1/rs=AN8SPfrf36LIV3DkhtRBGWFnLWWzaykPyw/m=corsproxy" data-sourceurl="https://blog.cloudflare.com/author/jesse/"></script> <link href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200" rel="stylesheet"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.tKc6KWkFf-8.O/am=gAE/d=1/exm=corsproxy/ed=1/rs=AN8SPfrf36LIV3DkhtRBGWFnLWWzaykPyw/m=phishing_protection" data-phishing-protection-enabled="false" data-forms-warning-enabled="true" data-source-url="https://blog.cloudflare.com/author/jesse/"></script> <meta name="robots" content="none"> </head> <body> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.tKc6KWkFf-8.O/am=gAE/d=1/exm=corsproxy,phishing_protection/ed=1/rs=AN8SPfrf36LIV3DkhtRBGWFnLWWzaykPyw/m=navigationui" data-environment="prod" data-proxy-url="https://blog-cloudflare-com.translate.goog" data-proxy-full-url="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" data-source-url="https://blog.cloudflare.com/author/jesse/" data-source-language="pl" data-target-language="de" data-display-language="en-GB" data-detected-source-language="" data-is-source-untranslated="false" data-source-untranslated-url="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://blog.cloudflare.com/author/jesse/&anno=2" data-client="tr"></script><astro-island uid="1sRxfo" component-url="/_astro/GoogleAnalytics.DSjxwi8U.js" component-export="GoogleAnalytics" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"Jesse Kipp"],"canonical":[0,"https://blog.cloudflare.com/author/jesse"],"info":[0],"tagInfo":[0],"authorInfo":[0,{"id":[0,"1kSY9ZybpCHhOmgNWJooMo"],"slug":[0,"jesse"],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"url":[0,"https://blog.cloudflare.com/jesse"],"name":[0,"Jesse Kipp"],"bio":[0,null],"website":[0,null],"location":[0,null],"facebook":[0,null],"twitter":[0,null]}],"translatedPosts":[1,[]]}" ssr client="only" opts="{"name":"GoogleAnalytics","value":"react"}"></astro-island> <script>(()=>{var l=(n,t)=>{let i=async()=>{await(await n())()},e=typeof t.value=="object"?t.value:void 0,s={timeout:e==null?void 0:e.timeout};"requestIdleCallback"in window?window.requestIdleCallback(i,s):setTimeout(i,s.timeout||200)};(self.Astro||(self.Astro={})).idle=l;window.dispatchEvent(new Event("astro:idle"));})();</script><astro-island uid="3aJmb" prefix="r14" component-url="/_astro/Navigation.CSu6dGvY.js" component-export="Navigation" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"The Cloudflare Blog"],"logo":[0,"//images.ctfassets.net/zkvhlag99gkb/69RwBidpiEHCDZ9rFVVk7T/092507edbed698420b89658e5a6d5105/CF_logo_stacked_blktype.png"],"pagesStore":[0,{"page":[0,"Author"],"slug":[0,"jesse"],"translationsAvailable":[1,[[0,"de-de"],[0,"es-es"],[0,"fr-fr"],[0,"it-it"],[0,"ja-jp"],[0,"ko-kr"],[0,"zh-tw"],[0,"zh-cn"],[0,"ru-ru"],[0,"pl-pl"],[0,"nl-nl"]]],"navData":[1,[[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:42:46.231Z"],"updatedAt":[0,"2025-02-17T17:03:20.612Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,63],"revision":[0,22],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Security"],"name":[0,"Security"],"slug":[0,"security"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"5kZtWqjqa7aOUoZr8NFGwI"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:26.040Z"],"updatedAt":[0,"2025-02-11T11:03:11.949Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,103],"revision":[0,32],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Cloudflare Radar"],"name":[0,"Radar"],"slug":[0,"cloudflare-radar"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T22:44:28.803Z"],"updatedAt":[0,"2025-02-10T05:02:55.192Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,62],"revision":[0,23],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"AI"],"name":[0,"AI"],"slug":[0,"ai"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:20.198Z"],"updatedAt":[0,"2025-02-04T17:23:05.518Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Product News"],"name":[0,"Product News"],"slug":[0,"product-news"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"J61Eszqn98amrYHq4IhTx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:46.068Z"],"updatedAt":[0,"2025-02-04T17:20:13.333Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,61],"revision":[0,27],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Zero Trust"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:21.536Z"],"updatedAt":[0,"2025-02-04T17:19:33.689Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Developers"],"name":[0,"Developers"],"slug":[0,"developers"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"48r7QV00gLMWOIcM1CSDRy"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:54:22.790Z"],"updatedAt":[0,"2025-02-04T17:17:33.067Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Speed & Reliability"],"name":[0,"Speed & Reliability"],"slug":[0,"speed-and-reliability"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"V86khSc459Yi1AhTlvtY7"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:53.657Z"],"updatedAt":[0,"2025-02-04T17:12:59.473Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,21],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Partners"],"name":[0,"Partners"],"slug":[0,"partners"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4g8tPriKOAUwdUT4jNPebe"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:40.927Z"],"updatedAt":[0,"2025-02-04T17:11:28.566Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,55],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Life at Cloudflare"],"name":[0,"Life at Cloudflare"],"slug":[0,"life-at-cloudflare"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"16yk8DVbNNifxov5cWvAov"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:56:23.848Z"],"updatedAt":[0,"2025-01-29T05:03:35.958Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,63],"revision":[0,28],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Policy & Legal"],"name":[0,"Policy & Legal"],"slug":[0,"policy"],"featured":[0,true]}]}]]]}],"locale":[0,"en-us"],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="idle" opts="{"name":"NavigationComponent","value":true}" await-children> <header class="flex flex-row flex-wrap justify-between items-flex-end mw8 center mv3 pl3 pr1"> <div class="w-100 flex items-flex-end justify-between justify-start-l"> <div class="w-100 tr flex justify-end"> <div class="flex justify-between items-center"> <span class="dn di-l pr1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://dash.cloudflare.com/sign-up" class="f1 blue1 dn di-l b no-underline underline-hover" target="_blank" rel="noreferrer">Get Started Free</a></span><span class="f1 gray4 dn di-l pr1">|</span><span class="dn di-l"><a target="_blank" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/plans/enterprise/contact/" class="f1 gray4 no-underline underline-hover pr1" rel="noreferrer">Contact Sales</a></span><span class="f1 gray4 dn di-l pr1">|</span> <div class="relative flex cf-dropdown"> <div class="flex items-center" dir="ltr"> <button type="button" class="f1 gray4 no-underline language-picker js-language-picker" style="background:transparent;border:none;padding:0"><span class="language-picker__globe-icon"></span><span class="language-picker__caret-icon ph1">▼</span></button> </div> </div> </div> </div> </div> <div class="w-100 w-50-l flex items-end nb5 nb1-l"> <a href="https://blog-cloudflare-com.translate.goog/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="header-logo mr4 dn db-l"><img class="header-logo" src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/69RwBidpiEHCDZ9rFVVk7T/092507edbed698420b89658e5a6d5105/CF_logo_stacked_blktype.png" alt="The Cloudflare Blog" width="170" height="57"></a> <h2 class="mt0 mb1 dn di-l"><a href="https://blog-cloudflare-com.translate.goog/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 f5 gray3 no-underline"><span class="dn di-l">The Cloudflare Blog</span></a></h2> </div> <div class="w-100 w-50-l dn db-l"> <div class="w-100 tr mkto-sub-message"> <p class="f2">Subscribe to receive notifications of new posts:</p> </div> <div class="w-100 tr"> <div class="marketo-form-container"> <form id="mktoForm_1653"> <div class="top-subscribe-form-container"> <div class="top-subscribe-form-field"> <input placeholder="Email Address" class="top-subscribe-form-input" name="email" type="email" title="Must be valid email."> </div><button class="top-subscribe-form-button" type="button">Subscribe</button> </div> </form> </div> </div> </div> </header> <nav dir="ltr" class="bb b--black-10 db dn-l w-100 ph3 "> <div class=" flex justify-between items-center" style="height:44px"> <a href="https://blog-cloudflare-com.translate.goog/search/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB"><img class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"></a><button type="button" style="background:transparent;border:none"><img src="/images/hamburger.svg" alt="hamburger menu"></button> </div> <div class="js-mobile-nav-container dn"> <div class="flex flex-column flex-wrap bg-gray9 o-95 absolute w-90 ph3 z-1"> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/security/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Security</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-radar/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Radar</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">AI</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Product News</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Zero Trust</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/developers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Developers</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/speed-and-reliability/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Speed & Reliability</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/partners/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Partners</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/life-at-cloudflare/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Life at Cloudflare</a> </div> <div class="pv3 ph2 tl"> <a href="https://blog-cloudflare-com.translate.goog/tag/policy/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f4 fw7">Policy & Legal</a> </div> </div> </div> </nav> <nav id="nav" class="w-100 bb-0 bb-l b--black-10 z-1"> <div id="desktop-nav-items-container" class="flex flex-wrap justify-between items-center mw8 center mv3 mv0-l"> <div data-tag="security" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/security/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Security</a> </div> <div data-tag="cloudflare-radar" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-radar/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Radar</a> </div> <div data-tag="ai" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">AI</a> </div> <div data-tag="product-news" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Product News</a> </div> <div data-tag="zero-trust" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Zero Trust</a> </div> <div data-tag="developers" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/developers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Developers</a> </div> <div data-tag="speed-and-reliability" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/speed-and-reliability/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Speed & Reliability</a> </div> <div data-tag="partners" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/partners/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Partners</a> </div> <div data-tag="life-at-cloudflare" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/life-at-cloudflare/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Life at Cloudflare</a> </div> <div data-tag="policy" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"> <a href="https://blog-cloudflare-com.translate.goog/tag/policy/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="no-underline gray1 f2 fw5 pv3">Policy & Legal</a> </div> <div class="nav-item ml2 mr3 dn db-l pv3" data-tag="search icon"> <a href="https://blog-cloudflare-com.translate.goog/search/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB"><img id="search-icon" class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"></a> </div> </div> </nav><!--astro:end--> </astro-island> <script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).load=e;window.dispatchEvent(new Event("astro:load"));})();</script> <div data-testid="author-info-section" class="flex flex-row flex-wrap mw7 center bb b--gray8 ph3"> <div class="pv4"> <div class="flex flex-row items-center mt5 mt4-m mt0-l"> <img data-testid="author-img" class="mw3 br-100 w3 h3 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp"> <h1 data-testid="author-name" class="f7 fw4 mv0 mv3-m">Jesse Kipp</h1> </div> </div> </div> <main id="site-main" class="flex flex-row flex-wrap mw7 center mt4-l"><astro-island uid="Z1V3Hru" prefix="r1" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"29PAMer5L0do12OtNa557I"],"title":[0,"Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding"],"slug":[0,"making-workers-ai-faster"],"excerpt":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM)"],"featured":[0,false],"html":[0,"<p>During Birthday Week 2023, <a href=\"https://blog.cloudflare.com/workers-ai/\"><u>we launched Workers AI</u></a>. Since then, we have been listening to your feedback, and one thing we’ve heard consistently is that our customers want Workers AI to be faster. In particular, we hear that large language model (LLM) generation needs to be faster. Users want their interactive chat and agents to go faster, developers want faster help, and users do not want to wait for applications and generated website content to load. Today, we’re announcing three upgrades we’ve made to Workers AI to bring faster and more efficient inference to our customers: upgraded hardware, KV cache compression, and speculative decoding.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"watch-on-cloudflare-tv\">Watch on Cloudflare TV</h3>\n <a href=\"#watch-on-cloudflare-tv\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <div style=\"position: relative; padding-top: 56.25%;\">\n <iframe\n src=\"https://customer-rhnwzxvb3mg4wz3v.cloudflarestream.com/f37bfe2e21799996f84c7ff4e498893d/iframe?preload=true&poster=https%3A%2F%2Fcustomer-rhnwzxvb3mg4wz3v.cloudflarestream.com%2Ff37bfe2e21799996f84c7ff4e498893d%2Fthumbnails%2Fthumbnail.jpg%3Ftime%3D8s%26height%3D600\"\n loading=\"lazy\"\n style=\"border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;\"\n allow=\"accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;\"\n allowfullscreen=\"true\"\n ></iframe>\n</div><p>Thanks to Cloudflare’s <a href=\"https://blog.cloudflare.com/gen-12-servers/\"><u>12th generation compute servers</u></a>, our network now supports a newer generation of GPUs capable of supporting larger models and faster inference. Customers can now use <a href=\"https://developers.cloudflare.com/workers-ai/models/llama-3.2-11b-vision-instruct\"><u>Meta Llama 3.2 11B</u></a>, Meta’s <a href=\"https://ai.meta.com/blog/llama-3-2-connect-2024-vision-edge-mobile-devices/\"><u>newly released</u></a> multi-modal model with vision support, as well as Meta Llama 3.1 70B on Workers AI. Depending on load and time of day, customers can expect to see two to three times the throughput for Llama 3.1 and 3.2 compared to our previous generation Workers AI hardware. More performance information for these models can be found in today’s post: <a href=\"https://blog.cloudflare.com/workers-ai-bigger-better-faster\"><i><u>Cloudflare’s Bigger, Better, Faster AI platform</u></i></a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"new-kv-cache-compression-methods-now-open-source\">New KV cache compression methods, now open source</h2>\n <a href=\"#new-kv-cache-compression-methods-now-open-source\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In our effort to deliver low-cost low-latency inference to the world, Workers AI has been developing novel methods to boost efficiency of LLM inference. Today, we’re excited to announce a technique for KV cache compression that can help increase throughput of an inference platform. And we’ve made it open source too, so that everyone can benefit from our research.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"its-all-about-memory\">It’s all about memory</h3>\n <a href=\"#its-all-about-memory\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the main bottlenecks when running LLM inference is the amount of vRAM (memory) available. Every word that an LLM processes generates a set of vectors that encode the meaning of that word in the context of any earlier words in the input that are used to generate new tokens in the future. These vectors are stored in the <i>KV cache</i>, causing the memory required for inference to scale linearly with the total number of tokens of all sequences being processed. This makes memory a bottleneck for a lot of transformer-based models. Because of this, the amount of memory an instance has available limits the number of sequences it can generate concurrently, as well as the maximum token length of sequences it can generate.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"so-what-is-the-kv-cache-anyway\">So what is the KV cache anyway?</h3>\n <a href=\"#so-what-is-the-kv-cache-anyway\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>LLMs are made up of layers, with an <a href=\"https://en.wikipedia.org/wiki/Attention_(machine_learning)\"><u>attention</u></a> operation occurring in each layer. Within each layer’s attention operation, information is collected from the representations of all previous tokens that are stored in cache. This means that vectors in the KV cache are organized into layers, so that the active layer’s attention operation can only query vectors from the corresponding layer of KV cache. Furthermore, since attention within each layer is parallelized across multiple attention “heads”, the KV cache vectors of a specific layer are further subdivided into groups corresponding to each attention head of that layer.</p><p>The diagram below shows the structure of an LLM’s KV cache for a single sequence being generated. Each cell represents a KV and the model’s representation for a token consists of all KV vectors for that token across all attention heads and layers. As you can see, the KV cache for a single layer is allocated as an M x N matrix of KV vectors where M is the number of attention heads and N is the sequence length. This will be important later!</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3ZagFp9yy3E55SR8GKRBvh/9e37f5890165e758ccaebf77464be483/BLOG-2571_2.png\" alt=\"BLOG-2571 2\" class=\"kg-image\" width=\"1528\" height=\"876\" loading=\"lazy\"/>\n </figure><p>For a deeper look at attention, see the original “<a href=\"https://arxiv.org/abs/1706.03762\"><u>Attention is All You Need</u></a>” paper. </p>\n <div class=\"flex anchor relative\">\n <h3 id=\"kv-cache-compression-use-it-or-lose-it\">KV-cache compression — “use it or lose it”</h3>\n <a href=\"#kv-cache-compression-use-it-or-lose-it\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Now that we know what the KV cache looks like, let’s dive into how we can shrink it!</p><p>The most common approach to compressing the KV cache involves identifying vectors within it that are unlikely to be queried by future attention operations and can therefore be removed without impacting the model’s outputs. This is commonly done by looking at the past attention weights for each pair of key and value vectors (a measure of the degree with which that KV’s representation has been queried during past attention operations) and selecting the KVs that have received the lowest total attention for eviction. This approach is conceptually similar to a LFU (least frequently used) cache management policy: the less a particular vector is queried, the more likely it is to be evicted in the future.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"different-attention-heads-need-different-compression-rates\">Different attention heads need different compression rates</h3>\n <a href=\"#different-attention-heads-need-different-compression-rates\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As we saw earlier, the KV cache for each sequence in a particular layer is allocated on the GPU as a <i># attention heads X sequence length</i> tensor. This means that the total memory allocation scales with the <i>maximum</i> sequence length for all attention heads of the KV cache. Usually this is not a problem, since each sequence generates the same number of KVs per attention head.</p><p>When we consider the problem of eviction-based KV cache compression, however, this forces us to remove an equal number of KVs from each attention head when doing the compression. If we remove more KVs from one attention head alone, those removed KVs won’t actually contribute to lowering the memory footprint of the KV cache on GPU, but will just add more empty “padding” to the corresponding rows of the tensor. You can see this in the diagram below (note the empty cells in the second row below):</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/68Q5hVbfRF1vhqyeGNzB1Q/91056db8208c5e74be00e0add147b3e9/BLOG-2571_3.png\" alt=\"BLOG-2571 3\" class=\"kg-image\" width=\"1452\" height=\"808\" loading=\"lazy\"/>\n </figure><p>The extra compression along the second head frees slots for two KVs, but the cache’s shape (and memory footprint) remains the same.</p><p>This forces us to use a fixed compression rate for all attention heads of KV cache, which is very limiting on the compression rates we can achieve before compromising performance.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"enter-pagedattention\">Enter PagedAttention</h3>\n <a href=\"#enter-pagedattention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The solution to this problem is to change how our KV cache is represented in physical memory. <a href=\"https://arxiv.org/abs/2309.06180\"><u>PagedAttention</u></a> can represent N x M tensors with padding efficiently by using an N x M block table to index into a series of “blocks”.</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1Sia3ZKKzBaHEfI8qLYr8o/57edb68d61ff916d322502aeb406c88c/BLOG-2571_4.png\" alt=\"BLOG-2571 4\" class=\"kg-image\" width=\"1512\" height=\"722\" loading=\"lazy\"/>\n </figure><p>This lets us retrieve the i<sup>th</sup> element of a row by taking the i<sup>th</sup> block number from that row in the block table and using the block number to lookup the corresponding block, so we avoid allocating space to padding elements in our physical memory representation. In our case, the elements in physical memory are the KV cache vectors, and the <i>M </i>and <i>N</i> that define the shape of our block table are the number of attention heads and sequence length, respectively. Since the block table is only storing integer indices (rather than high-dimensional KV vectors), its memory footprint is negligible in most cases.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"results\">Results</h3>\n <a href=\"#results\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Using paged attention lets us apply different rates of compression to different heads in our KV cache, giving our compression strategy more flexibility than other methods. We tested our compression algorithm on <a href=\"https://arxiv.org/abs/2308.14508\"><u>LongBench</u></a> (a collection of long-context LLM benchmarks) with Llama-3.1-8B and found that for most tasks we can retain over 95% task performance while reducing cache size by up to 8x (left figure below). Over 90% task performance can be retained while further compressing up to 64x. That means you have room in memory for 64 times as many tokens!</p>\n <figure class=\"kg-card kg-image-card\">\n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/pdz5rPhYdfnMmn6cxhczo/29b69bb65aea8989fc1f50283e8ecbc5/BLOG-2571_5.png\" alt=\"BLOG-2571 5\" class=\"kg-image\" width=\"1758\" height=\"652\" loading=\"lazy\"/>\n </figure><p>This lets us increase the number of requests we can process in parallel, increasing the total throughput (total tokens generated per second) by 3.44x and 5.18x for compression rates of 8x and 64x, respectively (right figure above).</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"try-it-yourself\">Try it yourself!</h3>\n <a href=\"#try-it-yourself\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If you’re interested in taking a deeper dive check out our <a href=\"https://github.com/IsaacRe/vllm-kvcompress\"><u>vLLM fork</u></a> and get compressing!!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"speculative-decoding-for-faster-throughput\">Speculative decoding for faster throughput</h2>\n <a href=\"#speculative-decoding-for-faster-throughput\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>A new inference strategy that we implemented is speculative decoding, which is a very popular way to get faster throughput (measured in tokens per second). LLMs work by predicting the next expected token (a token can be a word, word fragment or single character) in the sequence with each call to the model, based on everything that the model has seen before. For the first token generated, this means just the initial prompt, but after that each subsequent token is generated based on the prompt plus all other tokens that have been generated. Typically, this happens one token at a time, generating a single word, or even a single letter, depending on what comes next.</p><p>But what about this prompt:</p><blockquote><p><i>Knock, knock!</i></p></blockquote><p>If you are familiar with knock-knock jokes, you could very accurately predict more than one token ahead. For an English language speaker, what comes next is a very specific sequence that is four to five tokens long: “Who’s there?” or “Who is there?” Human language is full of these types of phrases where the next word has only one, or a few, high probability choices. Idioms, common expressions, and even basic grammar are all examples of this. So for each prediction the model makes, we can take it a step further with speculative decoding to predict the next <i>n</i> tokens. This allows us to speed up inference, as we’re not limited to predicting one token at a time.</p><p>There are several different implementations of speculative decoding, but each in some way uses a smaller, faster-to-run model to generate more than one token at a time. For Workers AI, we have applied <a href=\"https://github.com/apoorvumang/prompt-lookup-decoding\"><u>prompt-lookup decoding</u></a> to some of the LLMs we offer. This simple method matches the last <i>n </i>tokens of generated text against text in the prompt/output and predicts candidate tokens that continue these identified patterns as candidates for continuing the output. In the case of knock-knock jokes, it can predict all the tokens for <i>“Who’s there</i>” at once after seeing “<i>Knock, knock!</i>”, as long as this setup occurs somewhere in the prompt or previous dialogue already. Once these candidate tokens have been predicted, the model can verify them all with a single forward-pass and choose to either accept or reject them. This increases the generation speed of llama-3.1-8b-instruct by up to 40% and the 70B model by up to 70%.</p><p>Speculative decoding has tradeoffs, however. Typically, the results of a model using speculative decoding have a lower quality, both when measured using benchmarks like <a href=\"https://paperswithcode.com/dataset/mmlu\"><u>MMLU</u></a> as well as when compared by humans. More aggressive speculation can speed up sequence generation, but generally comes with a greater impact to the quality of the result. Prompt lookup decoding offers one of the smallest overall quality impacts while still providing performance improvements, and we will be adding it to some language models on Workers AI including <a href=\"https://developers.cloudflare.com/workers-ai/models/llama-3-8b-instruct\"><u>@cf/meta/llama-3.1-8b-instruct</u></a>.</p><p>And, by the way, here is one of our favorite knock-knock jokes, can you guess the punchline?</p><blockquote><p><i>Knock, knock!</i></p><p><i>Who’s there?</i></p><p><i>Figs!</i></p><p><i>Figs who?</i></p><p><i>Figs the doorbell, it’s broken!</i></p></blockquote>\n <div class=\"flex anchor relative\">\n <h2 id=\"keep-accelerating\">Keep accelerating</h2>\n <a href=\"#keep-accelerating\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As the AI industry continues to evolve, there will be new hardware and software that allows customers to get faster inference responses. Workers AI is committed to researching, implementing, and making upgrades to our services to help you get fast inference. As an Inference-as-a-Service platform, you’ll be able to benefit from all the optimizations we apply, without having to hire your own team of ML researchers and SREs to manage inference software and hardware deployments.\n\nWe’re excited for you to try out some of these new releases we have and let us know what you think! Check out our full-suite of AI announcements <a href=\"https://blog.cloudflare.com/tag/ai/\"><u>here</u></a> and check out the <a href=\"https://developers.cloudflare.com/workers-ai/\"><u>developer docs</u></a> to get started.</p>"],"published_at":[0,"2024-09-26T14:00+01:00"],"updated_at":[0,"2024-12-12T00:06:43.607Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4dfJo73P9gUCVLL1TxXoH7/b74d6a660d72b28803806c736ca0e084/BLOG-2571_1.png"],"tags":[1,[[0,{"id":[0,"1Cv5JjXzKWKEA10JdYbXu1"],"name":[0,"Birthday Week"],"slug":[0,"birthday-week"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"6gMpGK5HugYKaxJbvTMOHp"],"name":[0,"LLM"],"slug":[0,"llm"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Isaac Rehg"],"slug":[0,"isaac-rehg"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1UL9SXrwwlSZ91njGDCyzD/89b2b5136f0d3c44c56903420c0ef650/isaac-rehg.jpeg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM) inference lightning-fast on the Cloudflare Workers AI platform."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"blog-english-only"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/making-workers-ai-faster"],"metadata":[0,{"title":[0,"Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding"],"description":[0,"With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM) inference lightning-fast on the Cloudflare Workers AI platform."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5k8fRyeI3NnIxjvP1AMDn/3fa4bc17fda66cf87d4da06fecca9ac2/Making_Workers_AI_faster_and_more_efficient-_Performance_optimization_with_KV_cache_compression_and_speculative_decoding-OG.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/making-workers-ai-faster/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Making Workers AI faster and more efficient: Performance optimization with KV cache compression and speculative decoding</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-09-26</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/birthday-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Birthday Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="https://blog-cloudflare-com.translate.goog/tag/workers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Workers</a><a href="https://blog-cloudflare-com.translate.goog/tag/developers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="https://blog-cloudflare-com.translate.goog/tag/developer-platform/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a><a href="https://blog-cloudflare-com.translate.goog/tag/llm/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">LLM</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">With a new generation of data center accelerator hardware and using optimization techniques such as KV cache compression and speculative decoding, we’ve made large language model (LLM)<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/isaac-rehg/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1UL9SXrwwlSZ91njGDCyzD/89b2b5136f0d3c44c56903420c0ef650/isaac-rehg.jpeg" alt="Isaac Rehg" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/isaac-rehg/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Isaac Rehg</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="ZzF9jy" prefix="r2" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"6ItPe1u2j71C4DTSxJdccB"],"title":[0,"Leveling up Workers AI: general availability and more new capabilities"],"slug":[0,"workers-ai-ga-huggingface-loras-python-support"],"excerpt":[0,"Today, we’re excited to make a series of announcements, including Workers AI, Cloudflare’s inference platform becoming GA and support for fine-tuned models with LoRAs and one-click deploys from HuggingFace. Cloudflare Workers now supports the Python programming language, and more"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1YNXJ4s4e47U7MvddTlpz8/3a53be280a5e373b589eba37bc4740d0/Cities-with-GPUs-momentum-update.png\" alt=\"Leveling up Workers AI: general availability and more new capabilities\" class=\"kg-image\" width=\"1600\" height=\"900\" loading=\"lazy\"/>\n \n </figure><p>Welcome to Tuesday – our AI day of Developer Week 2024! In this blog post, we’re excited to share an overview of our new AI announcements and vision, including news about Workers AI officially going GA with improved pricing, a GPU hardware momentum update, an expansion of our Hugging Face partnership, Bring Your Own LoRA fine-tuned inference, Python support in Workers, more providers in AI Gateway, and Vectorize metadata filtering.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"workers-ai-ga\">Workers AI GA</h3>\n <a href=\"#workers-ai-ga\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Today, we’re excited to announce that our Workers AI inference platform is now Generally Available. After months of being in open beta, we’ve improved our service with greater reliability and performance, unveiled pricing, and added many more models to our catalog.</p><h4>Improved performance &amp; reliability</h4><p>With Workers AI, our goal is to make AI inference as reliable and easy to use as the rest of Cloudflare’s network. Under the hood, we’ve upgraded the load balancing that is built into Workers AI. Requests can now be routed to more GPUs in more cities, and each city is aware of the total available capacity for AI inference. If the request would have to wait in a queue in the current city, it can instead be routed to another location, getting results back to you faster when traffic is high. With this, we’ve increased rate limits across all our models – most LLMs now have a of 300 requests per minute, up from 50 requests per minute during our beta phase. Smaller models have a limit of 1500-3000 requests per minute. Check out our <a href=\"https://developers.cloudflare.com/workers-ai/platform/limits/\">Developer Docs for the rate limits</a> of individual models.</p><h4>Lowering costs on popular models</h4><p>Alongside our GA of Workers AI, we published a <a href=\"https://ai.cloudflare.com/#pricing-calculator\">pricing calculator</a> for our 10 non-beta models earlier this month. We want Workers AI to be one of the most affordable and accessible solutions to run <a href=\"https://www.cloudflare.com/learning/ai/inference-vs-training/\">inference</a>, so we added a few optimizations to our models to make them more affordable. Now, Llama 2 is over 7x cheaper and Mistral 7B is over 14x cheaper to run than we had initially <a href=\"https://developers.cloudflare.com/workers-ai/platform/pricing/\">published</a> on March 1. We want to continue to be the best platform for AI inference and will continue to roll out optimizations to our customers when we can.</p><p>As a reminder, our billing for Workers AI started on April 1st for our non-beta models, while beta models remain free and unlimited. We offer 10,000 <a href=\"/workers-ai#:~:text=may%20be%20wondering%20%E2%80%94-,what%E2%80%99s%20a%20neuron\">neurons</a> per day for free to all customers. Workers Free customers will encounter a hard rate limit after 10,000 neurons in 24 hours while Workers Paid customers will incur usage at $0.011 per 1000 additional neurons. Read our <a href=\"https://developers.cloudflare.com/workers-ai/platform/pricing/\">Workers AI Pricing Developer Docs</a> for the most up-to-date information on pricing.</p><h4>New dashboard and playground</h4><p>Lastly, we’ve revamped our <a href=\"https://dash.cloudflare.com/?to=/:account/ai/workers-ai\">Workers AI dashboard</a> and <a href=\"https://playground.ai.cloudflare.com/\">AI playground</a>. The Workers AI page in the Cloudflare dashboard now shows analytics for usage across models, including neuron calculations to help you better predict pricing. The AI playground lets you quickly test and compare different models and configure prompts and parameters. We hope these new tools help developers start building on Workers AI seamlessly – go try them out!</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3uSiHo9pV21DreFiLpUfPX/5aa5c8a2448da881a0872e3f550c39a2/image3-3.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1233\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"run-inference-on-gpus-in-over-150-cities-around-the-world\">Run inference on GPUs in over 150 cities around the world</h3>\n <a href=\"#run-inference-on-gpus-in-over-150-cities-around-the-world\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/qyZ48xVu70u80swQKPUau/1e85ea2b833139d277d5769d5a8c8c66/image5-2.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"500\" loading=\"lazy\"/>\n \n </figure><p>When we announced Workers AI back in September 2023, we set out to deploy GPUs to our data centers around the world. We plan to deliver on that promise and deploy inference-tuned GPUs almost everywhere by the end of 2024, making us the most widely distributed cloud-AI inference platform. We have over 150 cities with GPUs today and will continue to roll out more throughout the year.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/451IgQCfz2j10xM8kXhZy0/67632b1b5f52e3387aa387e43c804324/image7-1.png\" alt=\"\" class=\"kg-image\" width=\"1800\" height=\"1098\" loading=\"lazy\"/>\n \n </figure><p>We also have our next generation of compute servers with GPUs launching in Q2 2024, which means better performance, power efficiency, and improved reliability over previous generations. We provided a preview of our Gen 12 Compute servers design in a <a href=\"/cloudflare-gen-12-server-bigger-better-cooler-in-a-2u1n-form-factor\">December 2023 blog post</a>, with more details to come. With Gen 12 and future planned hardware launches, the next step is to support larger machine learning models and offer fine-tuning on our platform. This will allow us to achieve higher inference throughput, lower latency and greater availability for production workloads, as well as expanding support to new categories of workloads such as fine-tuning.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"hugging-face-partnership\">Hugging Face Partnership</h3>\n <a href=\"#hugging-face-partnership\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7ATIA1mxaeqHYE31cztdjg/33717b0fd20244f3089cf5d4c8a9c13f/image2-2.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"551\" loading=\"lazy\"/>\n \n </figure><p>We’re also excited to continue our partnership with Hugging Face in the spirit of bringing the best of open-source to our customers. Now, you can visit some of the most popular models on Hugging Face and easily click to run the model on Workers AI if it is available on our platform.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3geQJnlHZhMktG1eoEWYKE/36c76ee43eca9443b4e2e9c6d3e1df7e/image6-1.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"726\" loading=\"lazy\"/>\n \n </figure><p>We’re happy to announce that we’ve added 4 more models to our platform in conjunction with Hugging Face. You can now access the new <a href=\"https://huggingface.co/mistralai/Mistral-7B-Instruct-v0.2\">Mistral 7B v0.2</a> model with improved context windows, <a href=\"https://huggingface.co/NousResearch/Hermes-2-Pro-Mistral-7B\">Nous Research’s Hermes 2 Pro</a> fine-tuned version of Mistral 7B, <a href=\"https://huggingface.co/google/gemma-7b-it\">Google’s Gemma 7B</a>, and <a href=\"https://huggingface.co/Nexusflow/Starling-LM-7B-beta\">Starling-LM-7B-beta</a> fine-tuned from OpenChat. There are currently 14 models that we’ve curated with Hugging Face to be available for serverless GPU inference powered by Cloudflare’s Workers AI platform, with more coming soon. These models are all served using Hugging Face’s technology with a <a href=\"https://github.com/huggingface/text-generation-inference/\">TGI</a> backend, and we work closely with the Hugging Face team to curate, optimize, and deploy these models.</p><blockquote><p><i>“We are excited to work with Cloudflare to make AI more accessible to developers. Offering the most popular open models with a serverless API, powered by a global fleet of GPUs is an amazing proposition for the Hugging Face community, and I can’t wait to see what they build with it.”</i>- <b>Julien Chaumond</b>, Co-founder and CTO, Hugging Face</p></blockquote><p>You can find all of the open models supported in Workers AI in this <a href=\"https://huggingface.co/collections/Cloudflare/hf-curated-models-available-on-workers-ai-66036e7ad5064318b3e45db6\">Hugging Face Collection</a>, and the “Deploy to Cloudflare Workers AI” button is at the top of each model card. To learn more, read Hugging Face’s <a href=\"http://huggingface.co/blog/cloudflare-workers-ai\">blog post</a> and take a look at our <a href=\"https://developers.cloudflare.com/workers-ai/models/\">Developer Docs</a> to get started. Have a model you want to see on Workers AI? Send us a message on <a href=\"https://discord.cloudflare.com\">Discord</a> with your request.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"supporting-fine-tuned-inference-byo-loras\">Supporting fine-tuned inference - BYO LoRAs</h3>\n <a href=\"#supporting-fine-tuned-inference-byo-loras\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Fine-tuned inference is one of our most requested features for Workers AI, and we’re one step closer now with Bring Your Own (BYO) LoRAs. Using the popular <a href=\"https://www.cloudflare.com/learning/ai/what-is-lora/\">Low-Rank Adaptation</a> method, researchers have figured out how to take a model and adapt <i>some</i> model parameters to the task at hand, rather than rewriting <i>all</i> model parameters like you would for a fully fine-tuned model. This means that you can get fine-tuned model outputs without the computational expense of fully fine-tuning a model.</p><p>We now support bringing trained LoRAs to Workers AI, where we apply the LoRA adapter to a base model at runtime to give you fine-tuned inference, at a fraction of the cost, size, and speed of a fully fine-tuned model. In the future, we want to be able to support fine-tuning jobs and fully fine-tuned models directly on our platform, but we’re excited to be one step closer today with LoRAs.</p>\n <pre class=\"language-js\"><code class=\"language-js\">const response = await ai.run(\n &quot;@cf/mistralai/mistral-7b-instruct-v0.2-lora&quot;, //the model supporting LoRAs\n {\n messages: [{&quot;role&quot;: &quot;user&quot;, &quot;content&quot;: &quot;Hello world&quot;],\n raw: true, //skip applying the default chat template\n lora: &quot;00000000-0000-0000-0000-000000000&quot;, //the finetune id OR name \n }\n);</pre></code>\n <p>BYO LoRAs is in open beta as of today for Gemma 2B and 7B, Llama 2 7B and Mistral 7B models with LoRA adapters up to 100MB in size and max rank of 8, and up to 30 total LoRAs per account. As always, we expect you to use Workers AI and our new BYO LoRA feature with our <a href=\"https://www.cloudflare.com/service-specific-terms-developer-platform/#developer-platform-terms\">Terms of Service</a> in mind, including any model-specific restrictions on use contained in the models’ license terms.</p><p>Read the technical deep dive blog post on <a href=\"/fine-tuned-inference-with-loras\">fine-tuning with LoRA</a> and <a href=\"https://developers.cloudflare.com/workers-ai/fine-tunes\">developer docs</a> to get started.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"write-workers-in-python\">Write Workers in Python</h3>\n <a href=\"#write-workers-in-python\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Python is the second most popular programming language in the world (after JavaScript) and the language of choice for building AI applications. And starting today, in open beta, you can now <a href=\"https://ggu-python.cloudflare-docs-7ou.pages.dev/workers/languages/python/\">write Cloudflare Workers in Python</a>. Python Workers support all <a href=\"https://developers.cloudflare.com/workers/configuration/bindings/\">bindings</a> to resources on Cloudflare, including <a href=\"https://developers.cloudflare.com/vectorize/\">Vectorize</a>, <a href=\"https://developers.cloudflare.com/d1/\">D1</a>, <a href=\"https://developers.cloudflare.com/kv/\">KV</a>, <a href=\"https://developers.cloudflare.com/r2/\">R2</a> and more.</p><p><a href=\"https://ggu-python.cloudflare-docs-7ou.pages.dev/workers/languages/python/packages/langchain/\">LangChain</a> is the most popular framework for building LLM‑powered applications, and like how <a href=\"/langchain-and-cloudflare\">Workers AI works with langchain-js</a>, the <a href=\"https://python.langchain.com/docs/get_started/introduction\">Python LangChain library</a> works on Python Workers, as do <a href=\"https://ggu-python.cloudflare-docs-7ou.pages.dev/workers/languages/python/packages/\">other Python packages</a> like FastAPI.</p><p>Workers written in Python are just as simple as Workers written in JavaScript:</p>\n <pre class=\"language-js\"><code class=\"language-js\">from js import Response\n\nasync def on_fetch(request, env):\n return Response.new(&quot;Hello world!&quot;)</pre></code>\n <p>…and are configured by simply pointing at a .py file in your <code>wrangler.toml</code>:</p>\n <pre class=\"language-js\"><code class=\"language-js\">name = &quot;hello-world-python-worker&quot;\nmain = &quot;src/entry.py&quot;\ncompatibility_date = &quot;2024-03-18&quot;\ncompatibility_flags = [&quot;python_workers&quot;]</pre></code>\n <p>There are no extra toolchain or precompilation steps needed. The <a href=\"https://pyodide.org/en/stable/\">Pyodide</a> Python execution environment is provided for you, directly by the Workers runtime, mirroring how Workers written in JavaScript already work.</p><p>There’s lots more to dive into — take a look at the <a href=\"https://ggu-python.cloudflare-docs-7ou.pages.dev/workers/languages/python/\">docs</a>, and check out our <a href=\"/python-workers\">companion blog post</a> for details about how Python Workers work behind the scenes.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"ai-gateway-now-supports-anthropic-azure-aws-bedrock-google-vertex-and-perplexity\">AI Gateway now supports Anthropic, Azure, AWS Bedrock, Google Vertex, and Perplexity</h2>\n <a href=\"#ai-gateway-now-supports-anthropic-azure-aws-bedrock-google-vertex-and-perplexity\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6YaNMed9Aw4YjhbZk75SGI/a53b499b743e36ad2635357118e6623f/image4-2.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"653\" loading=\"lazy\"/>\n \n </figure><p>Our <a href=\"/announcing-ai-gateway\">AI Gateway</a> product helps developers better control and observe their AI applications, with analytics, caching, rate limiting, and more. We are continuing to add more providers to the product, including Anthropic, Google Vertex, and Perplexity, which we’re excited to announce today. We quietly rolled out Azure and Amazon Bedrock support in December 2023, which means that the most popular providers are now supported via AI Gateway, including Workers AI itself.</p><p>Take a look at our <a href=\"https://developers.cloudflare.com/ai-gateway/\">Developer Docs</a> to get started with AI Gateway.</p><h4>Coming soon: Persistent Logs</h4><p>In Q2 of 2024, we will be adding persistent logs so that you can push your logs (including prompts and responses) to object storage, custom metadata so that you can tag requests with user IDs or other identifiers, and secrets management so that you can securely manage your application’s API keys.</p><p>We want AI Gateway to be the control plane for your AI applications, allowing developers to dynamically evaluate and route requests to different models and providers. With our persistent logs feature, we want to enable developers to use their logged data to fine-tune models in one click, eventually running the fine-tune job and the fine-tuned model directly on our Workers AI platform. AI Gateway is just one product in our AI toolkit, but we’re excited about the workflows and use cases it can unlock for developers building on our platform, and we hope you’re excited about it too.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"vectorize-metadata-filtering-and-future-ga-of-million-vector-indexes\">Vectorize metadata filtering and future GA of million vector indexes</h3>\n <a href=\"#vectorize-metadata-filtering-and-future-ga-of-million-vector-indexes\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Vectorize is another component of our toolkit for AI applications. In open beta since September 2023, Vectorize allows developers to persist embeddings (vectors), like those generated from Workers AI <a href=\"https://developers.cloudflare.com/workers-ai/models/#text-embeddings\">text embedding</a> models, and query for the closest match to support use cases like similarity search or recommendations. Without a vector database, model output is forgotten and can’t be recalled without extra costs to re-run a model.</p><p>Since Vectorize’s open beta, we’ve added <a href=\"https://developers.cloudflare.com/vectorize/reference/metadata-filtering/\">metadata filtering</a>. Metadata filtering lets developers combine vector search with filtering for arbitrary metadata, supporting the query complexity in AI applications. We’re laser-focused on getting Vectorize ready for general availability, with an target launch date of June 2024, which will include support for multi-million vector indexes.</p>\n <pre class=\"language-js\"><code class=\"language-js\">// Insert vectors with metadata\nconst vectors: Array&lt;VectorizeVector&gt; = [\n {\n id: &quot;1&quot;,\n values: [32.4, 74.1, 3.2],\n metadata: { url: &quot;/products/sku/13913913&quot;, streaming_platform: &quot;netflix&quot; }\n },\n {\n id: &quot;2&quot;,\n values: [15.1, 19.2, 15.8],\n metadata: { url: &quot;/products/sku/10148191&quot;, streaming_platform: &quot;hbo&quot; }\n },\n...\n];\nlet upserted = await env.YOUR_INDEX.upsert(vectors);\n\n// Query with metadata filtering\nlet metadataMatches = await env.YOUR_INDEX.query(&lt;queryVector&gt;, { filter: { streaming_platform: &quot;netflix&quot; }} )</pre></code>\n \n <div class=\"flex anchor relative\">\n <h3 id=\"the-most-comprehensive-developer-platform-to-build-ai-applications\">The most comprehensive Developer Platform to build AI applications</h3>\n <a href=\"#the-most-comprehensive-developer-platform-to-build-ai-applications\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>On Cloudflare’s Developer Platform, we believe that all developers should be able to quickly build and ship full-stack applications – and that includes AI experiences as well. With our GA of Workers AI, announcements for Python support in Workers, AI Gateway, and Vectorize, and our partnership with Hugging Face, we’ve expanded the world of possibilities for what you can build with AI on our platform. We hope you are as excited as we are – take a look at all our <a href=\"https://developers.cloudflare.com\">Developer Docs</a> to get started, and <a href=\"https://discord.cloudflare.com/\">let us know</a> what you build.</p>"],"published_at":[0,"2024-04-02T14:01:00.000+01:00"],"updated_at":[0,"2024-10-10T00:22:07.040Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5oSuLqesmvrY3h7svtxYIH/0607762bb92437135418e8cc71662dec/workers-ai-ga-huggingface-loras-python-support.png"],"tags":[1,[[0,{"id":[0,"2xCnBweKwOI3VXdYsGVbMe"],"name":[0,"Developer Week"],"slug":[0,"developer-week"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"3E2D6D4cI82KIloPpl0WZW"],"name":[0,"General Availability"],"slug":[0,"general-availability"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Michelle Chen"],"slug":[0,"michelle"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1hrcl3aVtUbBuCMeuXETWy/93dbfbc7d41c09ba35d863312dbde89d/michelle.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,"@_mchenco"],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Syona Sarma"],"slug":[0,"syona"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7wXARteBqVJbvxNdpYb71v/5023716b54c8eda890b43d0092a19d12/syona.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Brendan Irvine-Broque"],"slug":[0,"brendan-irvine-broque"],"bio":[0,"Product Manager, Cloudflare Stream"],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/lTJBFKfbqthKbJKPvulre/e8bf53afa7caf1dffeeb55a8c6884959/brendan-irvine-broque.JPG"],"location":[0,"Oakland, CA"],"website":[0,"https://www.cloudflare.com/products/cloudflare-stream/"],"twitter":[0,"@irvinebroque"],"facebook":[0,null]}],[0,{"name":[0,"Vy Ton"],"slug":[0,"vy"],"bio":[0,"Product Manager at Cloudflare."],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/47vp9vXZx8EXsnBFmCK8NS/2f7f46cdadaa4545e2b61d9c674d1e5a/vy.png"],"location":[0,null],"website":[0,null],"twitter":[0,"@vaiton13"],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Leveling up Workers AI: general availability and more new capabilities Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/workers-ai-ga-huggingface-loras-python-support"],"metadata":[0,{"title":[0,"Leveling up Workers AI: general availability and more new capabilities"],"description":[0,null],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4i5mQ8CannxG6XxFtKKQoB/3885f1a05a4be264e16d2180dfbcf006/workers-ai-ga-huggingface-loras-python-support-x0Uhh5.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/workers-ai-ga-huggingface-loras-python-support/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Leveling up Workers AI: general availability and more new capabilities</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2024-04-02</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/developer-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/developers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="https://blog-cloudflare-com.translate.goog/tag/workers-ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Workers AI</a><a href="https://blog-cloudflare-com.translate.goog/tag/general-availability/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">General Availability</a><a href="https://blog-cloudflare-com.translate.goog/tag/developer-platform/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a><a href="https://blog-cloudflare-com.translate.goog/tag/workers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Workers</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Today, we’re excited to make a series of announcements, including Workers AI, Cloudflare’s inference platform becoming GA and support for fine-tuned models with LoRAs and one-click deploys from HuggingFace. Cloudflare Workers now supports the Python programming language, and more<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/michelle/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1hrcl3aVtUbBuCMeuXETWy/93dbfbc7d41c09ba35d863312dbde89d/michelle.jpg" alt="Michelle Chen" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/michelle/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Michelle Chen</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/syona/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7wXARteBqVJbvxNdpYb71v/5023716b54c8eda890b43d0092a19d12/syona.jpg" alt="Syona Sarma" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/syona/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Syona Sarma</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/brendan-irvine-broque/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/lTJBFKfbqthKbJKPvulre/e8bf53afa7caf1dffeeb55a8c6884959/brendan-irvine-broque.JPG" alt="Brendan Irvine-Broque" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/brendan-irvine-broque/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Brendan Irvine-Broque</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/vy/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/47vp9vXZx8EXsnBFmCK8NS/2f7f46cdadaa4545e2b61d9c674d1e5a/vy.png" alt="Vy Ton" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/vy/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Vy Ton</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="Z1GEIbA" prefix="r3" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"4QmaH8GOH4hQA5STcgIbJS"],"title":[0,"Workers AI Update: Hello, Mistral 7B!"],"slug":[0,"workers-ai-update-hello-mistral-7b"],"excerpt":[0,"Today we’re excited to announce that we’ve added the Mistral-7B-v0.1-instruct to Workers AI"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1vOF3ZSPVvD4CPRyt6PCZi/10554230ab60f8f2252ca5ee0eae47c7/Mistral-1.png\" alt=\"Workers AI Update: Hello, Mistral 7B!\" class=\"kg-image\" width=\"1600\" height=\"900\" loading=\"lazy\"/>\n \n </figure><p>Today we’re excited to announce that we’ve added the Mistral-7B-v0.1-instruct to Workers AI. Mistral 7B is a 7.3 billion parameter language model with a number of unique advantages. With some help from the founders of Mistral AI, we’ll look at some of the highlights of the Mistral 7B model, and use the opportunity to dive deeper into “attention” and its variations such as multi-query attention and grouped-query attention.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"mistral-7b-tl-dr\">Mistral 7B tl;dr:</h2>\n <a href=\"#mistral-7b-tl-dr\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Mistral 7B is a 7.3 billion parameter model that puts up <a href=\"https://mistral.ai/news/announcing-mistral-7b/\">impressive numbers on benchmarks</a>. The model:</p><ul><li><p>Outperforms comparable 13B model on all benchmarks</p></li><li><p>Outperforms comparable 34B on many benchmarks,</p></li><li><p>Approaches CodeLlama 7B performance on code, while remaining good at English tasks, and</p></li><li><p>The chat fine-tuned version we’ve deployed outperforms comparable 2 13B chat in the benchmarks provided by Mistral.</p></li></ul><p>Here’s an example of using streaming with the <a href=\"https://developers.cloudflare.com/workers-ai/get-started/rest-api/\">REST API</a>:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">curl -X POST \\\n“https://api.cloudflare.com/client/v4/accounts/{account-id}/ai/run/@cf/mistral/mistral-7b-instruct-v0.1” \\\n-H “Authorization: Bearer {api-token}” \\\n-H “Content-Type:application/json” \\\n-d &#039;{ “prompt”: “What is grouped query attention”, “stream”: true }&#039;\n\nAPI Response: { response: “Grouped query attention is a technique used in natural language processing (NLP) and machine learning to improve the performance of models…” }</pre></code>\n <p>And here’s an example using a Worker script:</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">import { Ai } from &#039;@cloudflare/ai&#039;;\nexport default {\n async fetch(request, env) {\n const ai = new Ai(env.AI);\n const stream = await ai.run(&#039;@cf/mistral/mistral-7b-instruct-v0.1&#039;, {\n prompt: &#039;What is grouped query attention&#039;,\n stream: true\n });\n return Response.json(stream, { headers: { “content-type”: “text/event-stream” } });\n }\n}</pre></code>\n <p>Mistral takes advantage of <a href=\"https://arxiv.org/abs/2305.13245\">grouped-query attention</a> for faster inference. This recently-developed technique improves the speed of inference without compromising output quality. For 7 billion parameter models, we can generate close to 4x as many tokens per second with Mistral as we can with Llama, thanks to Grouped-Query attention.</p><p>You don’t need any information beyond this to start using Mistral-7B, you can test it out today <a href=\"https://ai.cloudflare.com\">ai.cloudflare.com</a>. To learn more about attention and Grouped-Query attention, read on!</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"so-what-is-attention-anyway\">So what is “attention” anyway?</h2>\n <a href=\"#so-what-is-attention-anyway\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The basic mechanism of attention, specifically “Scaled Dot-Product Attention” as introduced in the landmark paper <a href=\"https://arxiv.org/abs/1706.03762\">Attention Is All You Need</a>, is fairly simple:</p><blockquote><p>We call our particular attention “Scale Dot-Product Attention”. The input consists of query and keys of dimension d_k, and values of dimension d_v. We compute the dot products of the query with all the keys, divide each by sqrt(d_k) and apply a softmax function to obtain the weights on the values.</p></blockquote><p>More concretely, this looks like this:</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7gLX5h3XWjtQugoqf4Yqjh/9f4879fc9078fa291da9caacab1925d7/Screenshot-2023-11-21-at-09.12.30.png\" alt=\"\" class=\"kg-image\" width=\"1882\" height=\"680\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://arxiv.org/abs/1706.03762\">source</a></p><p>In simpler terms, this allows models to focus on important parts of the input. Imagine you are reading a sentence and trying to understand it. Scaled dot product attention enables you to pay more attention to certain words based on their relevance. It works by calculating the similarity between each word (K) in the sentence and a query (Q). Then, it scales the similarity scores by dividing them by the square root of the dimension of the query. This scaling helps to avoid very small or very large values. Finally, using these scaled similarity scores, we can determine how much attention or importance each word should receive. This attention mechanism helps models identify crucial information (V) and improve their understanding and translation capabilities.</p><p>Easy, right? To get from this simple mechanism to an AI that can write a “Seinfeld episode in which Jerry learns the bubble sort algorithm,” we’ll need to make it more complex. In fact, everything we’ve just covered doesn’t even have any learned parameters — constant values learned during model training that customize the output of the attention block!Attention blocks in the style of <i>Attention is All You Need</i> add mainly three types of complexity:</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"learned-parameters\">Learned parameters</h3>\n <a href=\"#learned-parameters\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Learned parameters refer to values or weights that are adjusted during the training process of a model to improve its performance. These parameters are used to control the flow of information or attention within the model, allowing it to focus on the most relevant parts of the input data. In simpler terms, learned parameters are like adjustable knobs on a machine that can be turned to optimize its operation.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"vertical-stacking-layered-attention-blocks\">Vertical stacking - layered attention blocks</h3>\n <a href=\"#vertical-stacking-layered-attention-blocks\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Vertical layered stacking is a way to stack multiple attention mechanisms on top of each other, with each layer building on the output of the previous layer. This allows the model to focus on different parts of the input data at different levels of abstraction, which can lead to better performance on certain tasks.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"horizontal-stacking-aka-multi-head-attention\">Horizontal stacking - aka Multi-Head Attention</h3>\n <a href=\"#horizontal-stacking-aka-multi-head-attention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The figure from the paper displays the full multi-head attention module. Multiple attention operations are carried out in parallel, with the Q-K-V input for each generated by a unique linear projection of the same input data (defined by a unique set of learned parameters). These parallel attention blocks are referred to as “attention heads”. The weighted-sum outputs of all attention heads are concatenated into a single vector and passed through another parameterized linear transformation to get the final output.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5IhI1kh7JOS9ERb3aFuVHg/95e10b554d0f5029bf08fb10262cc29b/Screenshot-2023-11-21-at-09.13.49.png\" alt=\"\" class=\"kg-image\" width=\"1806\" height=\"722\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://arxiv.org/abs/1706.03762\">source</a></p><p>This mechanism allows a model to focus on different parts of the input data concurrently. Imagine you are trying to understand a complex piece of information, like a sentence or a paragraph. In order to understand it, you need to pay attention to different parts of it at the same time. For example, you might need to pay attention to the subject of the sentence, the verb, and the object, all simultaneously, in order to understand the meaning of the sentence. Multi-headed attention works similarly. It allows a model to pay attention to different parts of the input data at the same time, by using multiple &quot;heads&quot; of attention. Each head of attention focuses on a different aspect of the input data, and the outputs of all the heads are combined to produce the final output of the model.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"styles-of-attention\">Styles of attention</h2>\n <a href=\"#styles-of-attention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>There are three common arrangements of attention blocks used by large language models developed in recent years: multi-head attention, grouped-query attention and multi-query attention. They differ in the number of K and V vectors relative to the number of query vectors. <b>Multi-head attention</b> uses the same number of K and V vectors as Q vectors, denoted by “N” in the table below. <b>Multi-query attention</b> uses only a single K and V vector. <b>Grouped-query attention</b>, the type used in the Mistral 7B model, divides the Q vectors evenly into groups containing “G” vectors each, then uses a single K and V vector for each group for a total of N divided by G sets of K and V vectors. This summarizes the differences, and we’ll dive into the implications of these below.</p><!--kg-card-begin: html--><table cellspacing=\"0\" style=\"border-collapse:collapse; border:none; width:100%\">\n\t<tbody>\n\t\t<tr>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:232px\">&nbsp;</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:189px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Number of Key/Value Blocks</strong></span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:83px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Quality</strong></span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:99px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Memory Usage</strong></span></span></span></p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:232px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Multi-head attention (MHA)</strong></span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:189px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">N</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:83px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Best</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:99px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Most</span></span></span></p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:232px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Grouped-query attention (GQA)</strong></span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:189px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">N / G</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:83px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Better</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:99px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Less</span></span></span></p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:232px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\"><strong>Multi-query attention (MQA)</strong></span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:189px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">1</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:83px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Good</span></span></span></p>\n\t\t\t</td>\n\t\t\t<td style=\"border-bottom:1px solid #000000; border-left:1px solid #000000; border-right:1px solid #000000; border-top:1px solid #000000; vertical-align:top; width:99px\">\n\t\t\t<p><span style=\"font-size:11pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Least</span></span></span></p>\n\t\t\t</td>\n\t\t</tr>\n\t</tbody>\n</table>\n<p style=\"text-align:center\"><span style=\"font-size:9pt\"><span style=\"font-family:Arial,sans-serif\"><span style=\"color:#000000\">Summary of attention styles</span></span></span></p><!--kg-card-end: html--><p>And this diagram helps illustrate the difference between the three styles:</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2n8Qcj00djVDN2KEGUB7Ul/4cbd4f808b5d51e3f470852ecaff8214/image1-6.png\" alt=\"\" class=\"kg-image\" width=\"1112\" height=\"388\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://arxiv.org/pdf/2305.13245.pdf\">source</a></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"multi-query-attention\">Multi-Query Attention</h3>\n <a href=\"#multi-query-attention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Multi-query attention was described in 2019 in the paper from Google: <a href=\"https://arxiv.org/abs/1911.02150\">Fast Transformer Decoding: One Write-Head is All You Need</a>. The idea is that instead of creating separate K and V entries for every Q vector in the attention mechanism, as in multi-head attention above, only a single K and V vector is used for the entire set of Q vectors. Thus the name, multiple queries combined into a single attention mechanism. In the paper, this was benchmarked on a translation task and showed performance equal to multi-head attention on the benchmark task.</p><p>Originally the idea was to reduce the total size of memory that is accessed when performing inference for the model. Since then, as generalized models have emerged and grown in number of parameters, the GPU memory needed is often the bottleneck which is the strength of multi-query attention, as it requires the least accelerator memory of the three types of attention. However, as models grew in size and generality, performance of multi-query attention fell relative to multi-head attention.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"grouped-query-attention\">Grouped-Query Attention</h3>\n <a href=\"#grouped-query-attention\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The newest of the bunch — and the one used by Mistral — is grouped-query attention, as described in the paper <a href=\"https://arxiv.org/abs/2305.13245\">GQA: Training Generalized Multi-Query Transformer Models from Multi-Head Checkpoints</a> that was published on arxiv.org in May 2023. Grouped-query attention combines the best of both worlds: the quality of multi-headed attention with the speed and low memory usage of multi-query attention. Instead of either a single set of K and V vectors or one set for every Q vector, a fixed ratio of 1 set of K and V vectors for every Q vector is used, reducing memory usage but retaining high performance on many tasks.</p><p>Often choosing a model for a production task is not just about picking the best model available because we must consider tradeoffs between performance, memory usage, batch size, and available hardware (or cloud costs). Understanding these three styles of attention can help guide those decisions and understand when we might choose a particular model given our circumstances.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"enter-mistral-try-it-today\">Enter Mistral — try it today</h2>\n <a href=\"#enter-mistral-try-it-today\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Being one of the first large language models to leverage grouped-query attention and combining it with sliding window attention, Mistral seems to have hit the goldilocks zone — it’s low latency, high-throughput, and it performs really well on benchmarks even when compared to bigger models (13B). All this to say is that it packs a punch for its size, and we couldn&#39;t be more excited to make it available to all developers today, via Workers AI.</p><p>Head over to our <a href=\"https://developers.cloudflare.com/workers-ai/models/text-generation/\">developer docs</a> to get started, and if you need help, want to give feedback, or want to share what you’re building just pop into our <a href=\"https://discord.com/invite/cloudflaredev\">Developer Discord</a>!</p><p>The Workers AI team is also expanding and hiring; check our <a href=\"https://www.cloudflare.com/careers/jobs/\">jobs page</a> for open roles if you’re passionate about AI engineering and want to help us build and evolve our global, serverless GPU-powered inference platform.</p>"],"published_at":[0,"2023-11-21T14:00:58.000+00:00"],"updated_at":[0,"2024-10-09T23:26:27.655Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4EvWsMf3whYL6fKg9YhekN/a81b321cc0a48054834db993a636b342/workers-ai-update-hello-mistral-7b.png"],"tags":[1,[[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"name":[0,"Developers"],"slug":[0,"developers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Isaac Rehg"],"slug":[0,"isaac-rehg"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1UL9SXrwwlSZ91njGDCyzD/89b2b5136f0d3c44c56903420c0ef650/isaac-rehg.jpeg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Today we’re excited to announce that we’ve added the Mistral-7B-v0.1-instruct to Workers AI."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Workers AI Update: Hello, Mistral 7B! Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"Translated for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/workers-ai-update-hello-mistral-7b"],"metadata":[0,{"title":[0,"Workers AI Update: Hello, Mistral 7B!"],"description":[0,"Today we’re excited to announce that we’ve added the Mistral-7B-v0.1-instruct to Workers AI."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1w0VFuyZxsKnVazrMmNrZ4/663cbc88572af8e2a17d89477c65998c/workers-ai-update-hello-mistral-7b-cMSP2d.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/workers-ai-update-hello-mistral-7b/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Workers AI Update: Hello, Mistral 7B!</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2023-11-21</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/workers-ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Workers AI</a><a href="https://blog-cloudflare-com.translate.goog/tag/workers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Workers</a><a href="https://blog-cloudflare-com.translate.goog/tag/developers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developers</a><a href="https://blog-cloudflare-com.translate.goog/tag/developer-platform/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Today we’re excited to announce that we’ve added the Mistral-7B-v0.1-instruct to Workers AI<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/isaac-rehg/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1UL9SXrwwlSZ91njGDCyzD/89b2b5136f0d3c44c56903420c0ef650/isaac-rehg.jpeg" alt="Isaac Rehg" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/isaac-rehg/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Isaac Rehg</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="1A5Auy" prefix="r4" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"4RWvzttPkO6JoYsMwoovJ8"],"title":[0,"Streaming and longer context lengths for LLMs on Workers AI"],"slug":[0,"workers-ai-streaming"],"excerpt":[0,"Workers AI now supports streaming text responses for the LLM models in our catalog, including Llama-2, using server-sent events"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6hqH5G1qi0RIrmIsdkb1Ql/0d7746c5af2fe23d347ef7192d868b36/pasted-image-0--3--2.png\" alt=\"Streaming LLMs and longer context lengths available in Workers AI\" class=\"kg-image\" width=\"1600\" height=\"901\" loading=\"lazy\"/>\n \n </figure><p>Workers AI is our serverless GPU-powered inference platform running on top of Cloudflare’s global network. It provides a growing catalog of off-the-shelf models that run seamlessly with Workers and enable developers to build powerful and scalable AI applications in minutes. We’ve already seen developers doing amazing things with Workers AI, and we can’t wait to see what they do as we continue to expand the platform. To that end, today we’re excited to announce some of our most-requested new features: streaming responses for all <a href=\"https://www.cloudflare.com/learning/ai/what-is-large-language-model/\">Large Language Models</a> (LLMs) on Workers AI, larger context and sequence windows, and a full-precision <a href=\"https://developers.cloudflare.com/workers-ai/models/llm/\">Llama-2</a> model variant.</p><p>If you’ve used ChatGPT before, then you’re familiar with the benefits of response streaming, where responses flow in token by token. LLMs work internally by generating responses sequentially using a process of repeated inference — the full output of a LLM model is essentially a sequence of hundreds or thousands of individual prediction tasks. For this reason, while it only takes a few milliseconds to generate a single token, generating the full response takes longer, on the order of seconds. The good news is we can start displaying the response as soon as the first tokens are generated, and append each additional token until the response is complete. This yields a much better experience for the end user — displaying text incrementally as it&#39;s generated not only provides instant responsiveness, but also gives the end-user time to read and interpret the text.</p><p>As of today, you can now use response streaming for any LLM model in our catalog, including the very popular <a href=\"https://developers.cloudflare.com/workers-ai/models/llm/\">Llama-2 model</a>. Here’s how it works.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"server-sent-events-a-little-gem-in-the-browser-api\">Server-sent events: a little gem in the browser API</h3>\n <a href=\"#server-sent-events-a-little-gem-in-the-browser-api\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events\">Server-sent events</a> are easy to use, simple to implement on the server side, standardized, and broadly available across many platforms natively or as a polyfill. Server-sent events fill a niche of handling a stream of updates from the server, removing the need for the boilerplate code that would otherwise be necessary to handle the event stream.</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-color:#ccc;border-spacing:0;}\n.tg td{background-color:#fff;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{background-color:#f0f0f0;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-lt9p{background-color:#F3F3F3;text-align:left;vertical-align:top}\n.tg .tg-9qck{background-color:#F3F3F3;font-weight:bold;text-align:left;vertical-align:top}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <th class=\"tg-lt9p\"></th>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Easy-to-use</span></th>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Streaming</span></th>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Bidirectional</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">fetch</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">✅</span></td>\n <td class=\"tg-0lax\"></td>\n <td class=\"tg-0lax\"></td>\n </tr>\n <tr>\n <td class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Server-sent events</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">✅</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">✅</span></td>\n <td class=\"tg-0lax\"></td>\n </tr>\n <tr>\n <td class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Websockets</span></td>\n <td class=\"tg-0lax\"></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">✅</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">✅</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p><sup>Comparing fetch, server-sent events, and websockets</sup></p><p>To get started using streaming on Workers AI’s text generation models with server-sent events, set the “stream” parameter to true in the input of request. This will change the response format and <code>mime-type</code> to <code>text/event-stream</code>.</p><p>Here’s an example of using streaming with the <a href=\"https://developers.cloudflare.com/workers-ai/get-started/rest-api/\">REST API</a>:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">curl -X POST \\\n&quot;https://api.cloudflare.com/client/v4/accounts/&lt;account&gt;/ai/run/@cf/meta/llama-2-7b-chat-int8&quot; \\\n-H &quot;Authorization: Bearer &lt;token&gt;&quot; \\\n-H &quot;Content-Type:application/json&quot; \\\n-d &#039;{ &quot;prompt&quot;: &quot;where is new york?&quot;, &quot;stream&quot;: true }&#039;\n\ndata: {&quot;response&quot;:&quot;New&quot;}\n\ndata: {&quot;response&quot;:&quot; York&quot;}\n\ndata: {&quot;response&quot;:&quot; is&quot;}\n\ndata: {&quot;response&quot;:&quot; located&quot;}\n\ndata: {&quot;response&quot;:&quot; in&quot;}\n\ndata: {&quot;response&quot;:&quot; the&quot;}\n\n...\n\ndata: [DONE]</pre></code>\n <p>And here’s an example using a Worker script:</p>\n <pre class=\"language-typescript\"><code class=\"language-typescript\">import { Ai } from &quot;@cloudflare/ai&quot;;\nexport default {\n async fetch(request, env, ctx) {\n const ai = new Ai(env.AI, { sessionOptions: { ctx: ctx } });\n const stream = await ai.run(\n &quot;@cf/meta/llama-2-7b-chat-int8&quot;,\n { prompt: &quot;where is new york?&quot;, stream: true }\n );\n return new Response(stream,\n { headers: { &quot;content-type&quot;: &quot;text/event-stream&quot; } }\n );\n }\n}</pre></code>\n <p>If you want to consume the output event-stream from this Worker in a browser page, the client-side JavaScript is something like:</p>\n <pre class=\"language-typescript\"><code class=\"language-typescript\">const source = new EventSource(&quot;/worker-endpoint&quot;);\nsource.onmessage = (event) =&gt; {\n if(event.data==&quot;[DONE]&quot;) {\n // SSE spec says the connection is restarted\n // if we don&#039;t explicitly close it\n source.close();\n return;\n }\n const data = JSON.parse(event.data);\n el.innerHTML += data.response;\n}</pre></code>\n <p>You can use this simple code with any simple HTML page, complex SPAs using React or other Web frameworks.</p><p>This creates a much more interactive experience for the user, who now sees the page update as the response is incrementally created, instead of waiting with a spinner until the entire response sequence has been generated. Try it out streaming on <a href=\"https://ai.cloudflare.com\">ai.cloudflare.com</a>.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6VIIO6crNIkpaz8hG9n8jg/c703ab696213d0fa814aff31d6d36d09/llama-streaming.gif\" alt=\"\" class=\"kg-image\" width=\"1518\" height=\"610\" loading=\"lazy\"/>\n \n </figure><p>Workers AI supports streaming text responses for the <a href=\"https://developers.cloudflare.com/workers-ai/models/llm/\">Llama-2</a> model and any future LLM models we are adding to our catalog.</p><p>But this is not all.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"higher-precision-longer-context-and-sequence-lengths\">Higher precision, longer context and sequence lengths</h3>\n <a href=\"#higher-precision-longer-context-and-sequence-lengths\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Another top request we heard from our community after the launch of Workers AI was for longer questions and answers in our Llama-2 model. In LLM terminology, this translates to higher context length (the number of tokens the model takes as input before making the prediction) and higher sequence length (the number of tokens the model generates in the response.)</p><p>We’re listening, and in conjunction with streaming, today we are adding a higher 16-bit full-precision Llama-2 variant to the catalog, and increasing the context and sequence lengths for the existing 8-bit version.</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-9qck{background-color:#F3F3F3;font-weight:bold;text-align:left;vertical-align:top}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Model</span></th>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Context length (in)</span></th>\n <th class=\"tg-9qck\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Sequence length (out)</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">@cf/meta/llama-2-7b-chat-int8</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">2048 (768 before)</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">1800 (256 before)</span></td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">@cf/meta/llama-2-7b-chat-fp16</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">3072</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">2500</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>Streaming, higher precision, and longer context and sequence lengths provide a better user experience and enable new, richer applications using large language models in Workers AI.</p><p>Check the Workers AI <a href=\"https://developers.cloudflare.com/workers-ai\">developer documentation</a> for more information and options. If you have any questions or feedback about Workers AI, please come see us in the <a href=\"https://community.cloudflare.com/\">Cloudflare Community</a> and the <a href=\"https://discord.gg/cloudflaredev\">Cloudflare Discord</a>.If you are interested in machine learning and serverless AI, the Cloudflare Workers AI team is building a global-scale platform and tools that enable our customers to run fast, low-latency inference tasks on top of our network. Check our <a href=\"https://www.cloudflare.com/careers/jobs/\">jobs page</a> for opportunities.</p>"],"published_at":[0,"2023-11-14T14:00:33.000+00:00"],"updated_at":[0,"2024-10-09T23:26:24.125Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/E30qOKdqjVdLW01aB7qXk/ccd5c2e9e3583a94e651e68ce427fc5e/workers-ai-streaming.png"],"tags":[1,[[0,{"id":[0,"1Wf1Dpb2AFicG44jpRT29y"],"name":[0,"Workers AI"],"slug":[0,"workers-ai"]}],[0,{"id":[0,"6hbkItfupogJP3aRDAq6v8"],"name":[0,"Cloudflare Workers"],"slug":[0,"workers"]}],[0,{"id":[0,"3JAY3z7p7An94s6ScuSQPf"],"name":[0,"Developer Platform"],"slug":[0,"developer-platform"]}],[0,{"id":[0,"78aSAeMjGNmCuetQ7B4OgU"],"name":[0,"JavaScript"],"slug":[0,"javascript"]}],[0,{"id":[0,"5cye1Bh5KxFh3pKSnX8Dsy"],"name":[0,"Serverless"],"slug":[0,"serverless"]}],[0,{"id":[0,"2FQK880QI5lKEUCjVHBber"],"name":[0,"1.1.1.1"],"slug":[0,"1-1-1-1"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Celso Martinho"],"slug":[0,"celso"],"bio":[0,"From when Mosaic took over Gopher. Engineering Director at Cloudflare."],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2pzgat1zmt1oF1byi7hskH/7b25e8e00117ee44afe36ad27d7d8032/celso.png"],"location":[0,"Portugal, Lisbon"],"website":[0,"https://celso.io/"],"twitter":[0,"@celso"],"facebook":[0,null]}]]],"meta_description":[0,"Workers AI now supports streaming text responses for the LLM models in our catalog, including Llama-2, using server-sent events"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Streaming and longer context lengths for LLMs on Workers AI Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/workers-ai-streaming"],"metadata":[0,{"title":[0,"Streaming and longer context lengths for LLMs on Workers AI"],"description":[0,"Workers AI now supports streaming text responses for the LLM models in our catalog, including Llama-2, using server-sent events"],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4IroqQ9dI46SGkhQvNb3XF/99170ace02d15c906c3a3857dfd69731/workers-ai-streaming-nnHfyN.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/workers-ai-streaming/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Streaming and longer context lengths for LLMs on Workers AI</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2023-11-14</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/workers-ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Workers AI</a><a href="https://blog-cloudflare-com.translate.goog/tag/workers/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Workers</a><a href="https://blog-cloudflare-com.translate.goog/tag/developer-platform/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Developer Platform</a><a href="https://blog-cloudflare-com.translate.goog/tag/javascript/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">JavaScript</a><a href="https://blog-cloudflare-com.translate.goog/tag/serverless/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Serverless</a><a href="https://blog-cloudflare-com.translate.goog/tag/1-1-1-1/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">1.1.1.1</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Workers AI now supports streaming text responses for the LLM models in our catalog, including Llama-2, using server-sent events<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/celso/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2pzgat1zmt1oF1byi7hskH/7b25e8e00117ee44afe36ad27d7d8032/celso.png" alt="Celso Martinho" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/celso/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Celso Martinho</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="ZRcgjv" prefix="r5" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"5PU2K9rmTCTMLavz6NmIRt"],"title":[0,"Using the power of Cloudflare’s global network to detect malicious domains using machine learning"],"slug":[0,"threat-detection-machine-learning-models"],"excerpt":[0,"Cloudflare has developed proprietary models leveraging machine learning and other advanced analytical techniques to detect security threats that take advantage of the domain name system (DNS)"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7AJmLPVIHc8Bb76BxbVoc0/85553fb148e5b0ce20c767d8d881d6e1/image9-1.png\" alt=\"Using the power of Cloudflare’s global network to detect malicious domains using machine learning\" class=\"kg-image\" width=\"1999\" height=\"1125\" loading=\"lazy\"/>\n \n </figure><p>Cloudflare secures outbound Internet traffic for thousands of organizations every day, protecting users, devices, and data from threats like ransomware and phishing. One way we do this is by intelligently classifying what Internet destinations are risky using the domain name system (DNS). <a href=\"https://www.cloudflare.com/learning/dns/what-is-dns/\">DNS</a> is essential to Internet navigation because it enables users to look up addresses using human-friendly names, like cloudflare.com. For websites, this means translating a <a href=\"https://www.cloudflare.com/learning/dns/glossary/what-is-a-domain-name/\">domain name</a> into the IP address of the server that can deliver the content for that site.</p><p>However, attackers can exploit the DNS system itself, and often use techniques to evade detection and control using domain names that look like random strings. In this blog, we will discuss two techniques threat actors use – DNS tunneling and domain generation algorithms – and explain how Cloudflare uses <a href=\"https://www.cloudflare.com/learning/ai/what-is-machine-learning/\">machine learning</a> to detect them.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"domain-generation-algorithm-dga\">Domain Generation Algorithm (DGA)</h2>\n <a href=\"#domain-generation-algorithm-dga\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Most websites don’t change their domain name very often. This is the point after all, having a stable human-friendly name to be able to connect to a resource on the Internet. However, as a side-effect stable domain names become a point of control, allowing network administrators to use restrictions on domain names to enforce policies, for example blocking access to malicious websites. <a href=\"https://www.cloudflare.com/products/zero-trust/gateway/\">Cloudflare Gateway</a> – our <a href=\"https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/\">secure web gateway</a> service for threat defense – makes this easy to do by allowing administrators to block risky and suspicious domains based on integrated threat intelligence.</p><p>But what if instead of using a stable domain name, an attacker targeting your users generated random domain names to communicate with, making it more difficult to know in advance what domains to block? This is the idea of Domain Generation Algorithm domains (MITRE ATT&amp;CK technique <a href=\"https://attack.mitre.org/techniques/T1568/002/\">T1568.002</a>).</p><p>After initial installation, malware reaches out to a command-and-control server to receive further instructions, this is called “command and control” (MITRE ATT&amp;CK tactic <a href=\"https://attack.mitre.org/tactics/TA0011/\">TA0011</a>). The attacker may send instructions to perform such actions as gathering and transmitting information about the infected device, downloading additional stages of malware, stealing credentials and private data and sending it to the server, or operating as a bot within a network to perform denial-of-service attacks. Using a domain generation algorithm to frequently generate random domain names to communicate with for command and control gives malware a way to bypass blocks on fixed domains or IP addresses. Each day the malware generates a random set of domain names. To rendezvous with the malware, the attacker registers one of these domain names and awaits communication from the infected device.</p><p>Speed in identifying these domains is important to disrupting an attack. Because the domains rotate each day, by the time the malicious disposition of a domain propagates through the <a href=\"https://www.cloudflare.com/learning/security/what-is-cyber-security/\">cybersecurity</a> community, the malware may have rotated to a new domain name. However, the random nature of these domain names (they are literally a random string of letters!) also gives us an opportunity to detect them using machine learning.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-machine-learning-model\">The machine learning model</h3>\n <a href=\"#the-machine-learning-model\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>To identify DGA domains, we trained a model that extends a pre-trained transformers-based neural network. <a href=\"https://blogs.nvidia.com/blog/2022/03/25/what-is-a-transformer-model/\">Transformers-based neural networks</a> are the state-of-the-art technique in natural language processing, and underlie <a href=\"https://www.cloudflare.com/learning/ai/what-is-large-language-model/\">large language models</a> and services like ChatGPT. They are trained by using adjacent words and context around a word or character to “learn” what is likely to come next.</p><p>Domain names largely contain words and abbreviations that are meaningful in human language. Looking at the <a href=\"https://radar.cloudflare.com/domains\">top domains on Cloudflare Radar</a>, we see that they are largely composed of words and common abbreviations, “face” and “book” for example, or “cloud” and “flare”. This makes the knowledge of human language encoded in transformer models a powerful tool for detecting random domain names.</p><p>For DGA models, we curated ground truth data that consisted of domain names observed from Cloudflare’s 1.1.1.1 DNS resolver for the negative class, and we used domain names from known domain generation algorithms for the positive class (all uses of DNS resolver data is completed in accordance with our <a href=\"https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/\">privacy commitments</a>).</p><p>Our final training set contained over 250,000 domain names, and was weighted to include more negative (not DGA domains) than positive cases. We trained three different versions of the model with different architectures: LSTM (Long Short-Term Memory Neural Network), LightGBM (binary classification), and a transformer-based model. We selected the transformer based model based on it having the highest accuracy and F1 score (the <a href=\"https://towardsdatascience.com/the-f1-score-bec2bbc38aa6\">F1 score</a> is a measure of model fit that penalizes having very different precision and recall, on an imbalanced data set the highest accuracy model might be the one that predicts everything either true or false, not what we want!), with an accuracy of over 99% on the test data.</p><p>To compute the score for a new domain never seen before by the model, the domain name is tokenized (i.e. broken up into individual components, in this case characters), and the sequence of characters are passed to the model. The <a href=\"https://huggingface.co/transformers/v3.0.2/index.html\">transformers</a> Python package from Hugging Face makes it easy to use these types of models for a variety of applications. The library supports summarization, question answering, translation, text generation, classification, and more. In this case we use <a href=\"https://huggingface.co/transformers/v3.0.2/index.html\">sequence classification</a>, together with a model that was customized for this task. The output of the model is a score indicating the chance that the domain was generated by a domain generation algorithm. If the score is over our threshold, we label the domain and a domain generation algorithm domain.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"deployment\">Deployment</h3>\n <a href=\"#deployment\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The expansive view of domain names Cloudflare has from our 1.1.1.1 resolver means we can quickly observe DGA domains after they become active. We process all DNS query names that successfully resolve using this model, so a single successful resolution of the domain name anywhere in Cloudflare’s public resolver network can be detected.</p><p>From the queries observed on 1.1.1.1, we filter down first to new and newly seen domain names. We then apply our DGA classifier to the new and newly seen domain names, allowing us to detect activated command and control domains as soon as they are observed anywhere in the world by the 1.1.1.1 resolver.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/42ST4MV3Qez55tgxi3S4AY/5c98186c63d81fb376ae925c728ebc0b/Deployment.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"658\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"dns-tunneling-detection\">DNS Tunneling detection</h2>\n <a href=\"#dns-tunneling-detection\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In issuing commands or extracting data from an installed piece of malware, attackers seek to avoid detection. One way to send data and bypass traditional detection methods is to encode data within another protocol. When the attacker controls the authoritative name server for a domain, information can be encoded as DNS queries and responses. Instead of making a DNS query for a simple domain name, such as <a href=\"http://www.cloudflare.com\">www.cloudflare.com</a>, and getting a response like 104.16.124.96, attackers can send and receive long DNS queries and responses that contain encoded data.</p><p>Here is an example query made by an application performing DNS tunneling (query shortened and partially redacted):</p><p><code>3rroeuvx6bkvfwq7dvruh7adpxzmm3zfyi244myk4gmswch4lcwmkvtqq2cryyi.qrsptavsqmschy2zeghydiff4ogvcacaabc3mpya2baacabqtqcaa2iaaaaocjb.br1ns.example.com</code></p><p>The response data to a query like the one above can vary in length based on the response record type the server uses and the recursive DNS resolvers in the path. Generally, it is at most 255 characters per response record and looks like a random string of characters.</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-color:#ccc;border-spacing:0;}\n.tg td{background-color:#fff;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{background-color:#f0f0f0;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">TXT</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">jdqjtv64k2w4iudbe6b7t2abgubis</span></td>\n </tr>\n</thead>\n</table><!--kg-card-end: html--><p>This ability to take an arbitrary set of bytes and send it to the server as a DNS query and receive a response in the answer data creates a bi-directional communication channel that can be used to transmit any data. The malware running on the infected host encodes the data it wants to transmit as a DNS query name and the infected host sends the DNS query to its resolver.</p><p>Since this query is not a true hostname, but actually encodes some data the malware wishes to transmit, the query is very likely to be unique, and is passed on to the authoritative DNS server for that domain.</p><p>The authoritative DNS server decodes the query back into the original data, and if necessary can transmit it elsewhere on the Internet. Responses go back the other direction, the response data is encoded as a query response (for example a TXT record) and sent back to the malware running on the infected host.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1USLxe7JSl0fwBhhYf2buD/3660b5adcaf710f7a3b7036435361077/DNS-Tunneling-Detection.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"536\" loading=\"lazy\"/>\n \n </figure><p>One challenge with identifying this type of traffic, however, is that there are also many benign applications that use the DNS system to encode or transmit data as well. An example of a query that was classified as not DNS tunneling:</p><p><code>00641f74-8518-4f03-adc2-792a34ea2612.bbbb.example.com</code></p><p>As humans, we can see that the leading portion of this DNS query is a UUID. Queries like this are often used by security and monitoring applications and network appliances to check in. The leading portion of the query might be the unique id of the device or installation that is performing the check-in.</p><p>During the research and training phase our researchers identified a wide variety of different applications that use a large number of random looking DNS queries. Some examples of this include subdomains of <a href=\"https://www.cloudflare.com/learning/cdn/what-is-a-cdn/\">content delivery networks</a>, <a href=\"https://www.cloudflare.com/developer-platform/solutions/live-streaming/\">video streaming</a>, advertising and tracking, security appliances, as well as DNS tunneling. Our researchers investigated and labeled many of these domains, and while doing so, identified features that can be used to distinguish between benign applications and true DNS tunneling.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-model\">The model</h3>\n <a href=\"#the-model\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For this application, we trained a two-stage model. The first stage makes quick yes/no decisions about whether the domain might be a DNS tunneling domain. The second stage of the model makes finer-grained distinctions between legitimate domains that have large numbers of subdomains, such as security appliances or AV false-positive control, and malicious DNS tunneling.</p><p>The first stage is a <a href=\"https://xgboost.readthedocs.io/\">gradient boosted decision tree</a> that gives us an initial classification based on minimal information. A decision tree model is like playing 20 questions – each layer of the decision tree asks a yes or no question, which gets you closer to the final answer. Decision tree models are good at both predicting binary yes/no results as well as incorporating binary or nominal attributes into a prediction, and are fast and lightweight to execute, making them a good fit for this application. <a href=\"https://en.wikipedia.org/wiki/Gradient_boosting\">Gradient boosting</a> is a reliable technique for training models that is particularly good at combining several attributes with weak predictive power into a strong predictor. It can be used to train multiple types of models including decision trees as well as numeric predictions.</p><p>If the first stage classifies the domain as “yes, potential DNS tunneling”, it is checked against the second stage, which incorporates data observed from Cloudflare’s 1.1.1.1 DNS resolver. This second model is a <a href=\"https://www.cloudflare.com/learning/ai/what-is-neural-network/\">neural network model</a> and refines the categorization of the first, in order to distinguish legitimate applications.</p><p>In this model, the neural network takes 28 features as input and classifies the domain into one of 17 applications, such as DNS tunneling, IT appliance beacons, or email delivery and spam related. <b>Figure 2</b> shows a diagram generated from the popular Python software package <a href=\"https://keras.io/\">Keras</a> showing the layers of this neural network. We see the 28 input features at the top layer and at the bottom layer, the 17 output values indicating the prediction value for each type of application. This neural network is very small, having about 2,000 individual weights that can be set during the training process. In the next section we will see an example of a model that is based on a state-of-the-art pretrained model from a model family that has tens to hundreds of millions of predefined weights.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6qkJkL0s3NDzVk4cgEl0hq/2b34d1060f540b0d8eda15ab694a14ad/Screenshot-2023-03-15-at-11.24.14.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"814\" loading=\"lazy\"/>\n \n </figure><p>Fig. 2, The keras.utils.plot_model() function draws a diagram of the neural network layers.</p><p>Figure 3 shows a plot of the feature values of the applications we are trying to distinguish in polar coordinates. Each color is the feature values of all the domains the model classified as a single type of application over a sample period. The position around the circle (theta) is the feature, and the distance from the center (rho) is the value of that feature. We can see how many of the applications have similar feature values.</p><p>When we observe a new domain and compute its feature values, our model uses those feature values to give us a prediction about which application the new domain resembles. As mentioned, the neural network has 28 inputs each of which is the value for a single feature and 17 outputs. The 17 output values represent the prediction that the domain is each of those 17 different types of applications, with malicious DNS tunneling being one of the 17 outputs. The job of the model is to convert the sometimes small differences between the feature values into a prediction. If the value of the malicious DNS tunneling output of the neural network is higher than the other outputs, the domain is labeled as a security threat.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1FaIlCe95na1Jfpx8WzfT7/93729854869830e3e4fbc460f50029f3/Screenshot-2023-03-15-at-11.24.49.png\" alt=\"\" class=\"kg-image\" width=\"1614\" height=\"1066\" loading=\"lazy\"/>\n \n </figure><p>Fig. 3, Domains containing high-entropy DNS subdomains, visualized as feature plots. Each section around the circumference of the plot represents a different feature of the observed DNS queries. The distance from the center represents the value of that feature. Each color line is a distinct application, and machine learning helps us distinguish between these and classify them.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"deployment\">Deployment</h3>\n <a href=\"#deployment\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>For the DNS tunneling model, our system consumes the logs from our secure web gateway service. The first stage model is applied to all DNS queries. Domains that are flagged as possible DNS tunneling are then sent to the second stage where the prediction is refined using additional features.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2g99YpOWjODQHlrYssdkLS/6e1a77e0b7a31ec0b33121d6e1aa6db6/Deployment_2.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"622\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"looking-forward-combining-machine-learning-with-human-expertise\">Looking forward: combining machine learning with human expertise</h2>\n <a href=\"#looking-forward-combining-machine-learning-with-human-expertise\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In September 2022, Cloudflare announced the <a href=\"/cloudforce-one-is-now-ga/\">general availability of our threat operations and research team, Cloudforce One</a>, which allows our in-house experts to share insights directly with customers. Layering this human element on top of the ML models that we have already developed helps Cloudflare deliver additional protection threat protection for our customers, as we plan to explain in the next article in this blog series.</p><p>Until then, <a href=\"https://dash.cloudflare.com/sign-up/teams\">click here to create a free account</a>, with no time limit for up to 50 users, and point just your DNS traffic, or all traffic (layers 4 to 7), to Cloudflare to protect your team, devices, and data with machine learning-driven threat defense.</p>"],"published_at":[0,"2023-03-15T13:00:00.000+00:00"],"updated_at":[0,"2024-11-06T16:53:39.472Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/36sUD65yDhNrKOoRFe9iDY/5e6cc4d362c104fb5d7ca73734de6f0e/threat-detection-machine-learning-models.png"],"tags":[1,[[0,{"id":[0,"3DmitkNK6euuD5BlhuvOLW"],"name":[0,"Security Week"],"slug":[0,"security-week"]}],[0,{"id":[0,"J61Eszqn98amrYHq4IhTx"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"]}],[0,{"id":[0,"15qx2Nvwrm4X8zknw3vXgC"],"name":[0,"Cloudflare Gateway"],"slug":[0,"gateway"]}],[0,{"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"name":[0,"AI"],"slug":[0,"ai"]}],[0,{"id":[0,"6hv2Z69PGr0qU411KfQNUE"],"name":[0,"Threat Intelligence"],"slug":[0,"threat-intelligence"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare has developed proprietary models leveraging machine learning and other advanced analytical techniques to detect security threats that take advantage of the domain name system (DNS)."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Using the power of Cloudflare’s global network to detect malicious domains using machine learning Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/threat-detection-machine-learning-models"],"metadata":[0,{"title":[0,"Using the power of Cloudflare’s global network to detect malicious domains using machine learning"],"description":[0,"Cloudflare has developed proprietary models leveraging machine learning and other advanced analytical techniques to detect security threats that take advantage of the domain name system (DNS)."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6LGGJRFvPzgpYv39Zes0Wa/0dd83144dfe82a89a311bac7863382b5/threat-detection-machine-learning-models-sSJ28F.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/threat-detection-machine-learning-models/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Using the power of Cloudflare’s global network to detect malicious domains using machine learning</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2023-03-15</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/security-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Zero Trust</a><a href="https://blog-cloudflare-com.translate.goog/tag/gateway/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Gateway</a><a href="https://blog-cloudflare-com.translate.goog/tag/ai/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">AI</a><a href="https://blog-cloudflare-com.translate.goog/tag/threat-intelligence/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Threat Intelligence</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Cloudflare has developed proprietary models leveraging machine learning and other advanced analytical techniques to detect security threats that take advantage of the domain name system (DNS)<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="ZWDLAQ" prefix="r6" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"qdVDHWjNU7EFOMA2A5uqb"],"title":[0,"New WAF intelligence feeds"],"slug":[0,"new-waf-intelligence-feeds"],"excerpt":[0,"Cloudflare is expanding our WAF’s threat intelligence capabilities by adding four new managed IP lists that can be used as part of any custom firewall rule"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3viqacx0pyK5KfuztWaVO9/ae921f1c63025506f3709dbdff7c339e/unnamed.png\" alt=\"New WAF intelligence feeds\" class=\"kg-image\" width=\"1600\" height=\"900\" loading=\"lazy\"/>\n \n </figure><p>Cloudflare is expanding our <a href=\"https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/\">WAF’s</a> threat intelligence capabilities by adding four new managed IP lists that can be used as part of any custom firewall rule.</p><p>Managed lists are created and maintained by Cloudflare and are built based on threat intelligence feeds collected by analyzing patterns and trends observed across the Internet. Enterprise customers can already use the Open SOCKS Proxy list (<a href=\"/protecting-apis-from-abuse-and-data-exfiltration/\">launched in March 2021</a>) and today we are adding four new IP lists: “VPNs”, “Botnets, Command and Control Servers”, “Malware” and “Anonymizers”.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/31yUbQ5PMWyQOuR6SKAYVm/e6b624da1f780033213cf902e1e40edb/XkegdawMtkmBmuCmAin8MIzby8BSozlKq1g_EJRwpKwYIkmx_e0t49a3yoc8YYNltTLJBQ3oFxDRmBFxP01RTytGgD-zCwQsfiQr5r2WyFChLu9wsmDjeAx5Rb0i.png\" alt=\"You can check what rules are available in your plan by navigating to Manage Account -> Configuration -> Lists.\" class=\"kg-image\" width=\"750\" height=\"507\" loading=\"lazy\"/>\n \n </figure><p>You can check what rules are available in your plan by navigating to Manage Account → Configuration → Lists.</p><p>Customers can reference these lists when creating a custom firewall rule or in <a href=\"/advanced-rate-limiting/\">Advanced Rate Limiting</a>. For example, you can choose to block all traffic generated by IPs we categorize as VPNs, or rate limit traffic generated by all Anonymizers. You can simply incorporate managed IP lists in the powerful firewall rule builder. Of course, you can also use your own <a href=\"/introducing-ip-lists/\">custom IP list</a>.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/72EGCZbWhomtW9Up3IT9yg/b97c63a343aa7ed580bc0d00987a53ef/WsDGsltjclo0RVf5cZlM3yiQFzdDUIIteuM2jE80480j63zup6IMVvJtrazsG7VSaBTFSgnX0kYqZBpf3xzgqdLOX_VTpxX3sb398t_tj86gO-EiDKFwVoltRR85.png\" alt=\"Managed IP Lists can be used in WAF rules to manage incoming traffic from these IPs.\" class=\"kg-image\" width=\"1600\" height=\"955\" loading=\"lazy\"/>\n \n </figure><p>Managed IP Lists can be used in WAF rules to manage incoming traffic from these IPs.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"where-do-these-feeds-come-from\">Where do these feeds come from?</h3>\n <a href=\"#where-do-these-feeds-come-from\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>These lists are based on Cloudflare-generated threat feeds which are made available as IP lists to be easily consumed in the WAF. Each IP is categorized by combining open source data as well as by analyzing the behavior of each IP leveraging the scale and reach of Cloudflare network. After an IP has been included in one of these feeds, we verify its categorization and feed this information back into our security systems and make it available to our customers in the form of a managed IP list. The content of each list is updated multiple times a day.</p><p>In addition to generating IP classifications based on Cloudflare’s internal data, Cloudflare curates and combines several data sources that we believe provide reliable coverage of active security threats with a low false positive rate. In today’s environment, an IP belonging to a cloud provider might today be distributing malware, but tomorrow might be a critical resource for your company.</p><p>Some IP address classifications are publicly available, OSINT data, for example Tor exit nodes, and Cloudflare takes care of integrating this into our Anonymizer list so that you don’t have to manage integrating this list into every asset in your network. Other classifications are determined or vetted using a variety of DNS techniques, like lookup, PTR record lookup, and observing passive DNS from Cloudflare’s network.</p><p>Our malware and command-and-control focused lists are generated from curated partnerships, and one type of IP address we target when we select partners is data sources that identify security threats that do not have DNS records associated with them.</p><p>Our Anonymizer list encompasses several types of services that perform anonymization, including VPNs, open proxies, and Tor nodes. It is a superset of the more narrowly focused VPN list (known commercial VPN nodes), and the Cloudflare Open Proxies list (proxies that relay traffic without requiring authentication).</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"in-dashboard-ip-annotations\">In dashboard IP annotations</h3>\n <a href=\"#in-dashboard-ip-annotations\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Using these lists to deploy a preventative security policy for these IPs is great, but what about knowing if an IP that is interacting with your website or application is part of a Botnet or VPN? We first released <a href=\"/security-center-investigate/\">contextual information</a> for Anonymizers as part of Security Week 2022, but we are now closing the circle by extending this feature to cover all new lists.</p><p>As part of Cloudflare&#39;s threat intelligence feeds, we are exposing the IP category directly into the dashboard. Say you are investigating requests that were blocked by the WAF and that looked to be probing your application for known software vulnerabilities. If the source IP of these requests is matching with one of our feeds (for example part of a VPN), contextual information will appear directly on the analytics page.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3BEsz0Ts0fqS0o7Rlu0Kh0/a2eeba1c392e9d51a47efac8327e5f98/ba1SUQnRFtLMyaBYf580Fup-l4DJXdqOXEFrBm_KtT6egoEuFy0dh5HSZJvTSokZvDYC1d7US1dlhXMjn2jFgAgNr3Hmf455vhT6sT76JzXpI5ZyTO7bxGrXdj8o.png\" alt=\"When the source IP of a WAF event matches one of the threat feeds, we provide contextual information directly onto the Cloudflare dashboard.\" class=\"kg-image\" width=\"482\" height=\"286\" loading=\"lazy\"/>\n \n </figure><p>When the source IP of a WAF event matches one of the threat feeds, we provide contextual information directly onto the Cloudflare dashboard.</p><p>This information can help you see patterns and decide whether you need to use the managed lists to handle the traffic from these IPs in a particular way, for example by creating a rate limiting rule that reduces the amount of requests these actors can perform over a period of time.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"who-gets-this\">Who gets this?</h3>\n <a href=\"#who-gets-this\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The following table summarizes what plans have access to each one of these features. Any paying plans will have access to the contextual in-dash information, while Enterprise will be able to use different managed lists. Managed lists can be used only on Enterprise zones within an Enterprise account.</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-color:#ccc;border-spacing:0;}\n.tg td{background-color:#fff;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{background-color:#f0f0f0;border-color:#ccc;border-style:solid;border-width:1px;color:#333;\n font-family:Arial, sans-serif;font-size:14px;font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-tfgg{background-color:#EFEFEF;color:#F00;font-weight:bold;text-align:center;vertical-align:top}\n.tg .tg-gpin{background-color:#C9DAF8;text-align:left;vertical-align:top}\n.tg .tg-ekg0{background-color:#EFEFEF;font-weight:bold;text-align:left;vertical-align:top}\n.tg .tg-m0cw{background-color:#C9DAF8;font-weight:bold;text-align:center;vertical-align:top}\n</style>\n<table class=\"tg\" width=\"100%\">\n<thead>\n <tr>\n <th class=\"tg-gpin\"></th>\n <th class=\"tg-m0cw\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\"> FREE</span></th>\n <th class=\"tg-m0cw\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">PRO</span></th>\n <th class=\"tg-m0cw\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">BIZ</span></th>\n <th class=\"tg-m0cw\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">ENT with WAF Essential</span></th>\n <th class=\"tg-m0cw\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">ENT with WAF Advanced *</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Annotations</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Open Proxies</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Anonymizers</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">VPNs</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Botnets, command and control</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n <tr>\n <td class=\"tg-ekg0\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#000;background-color:transparent\">Malware</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">x</span></td>\n <td class=\"tg-tfgg\"><span style=\"font-weight:700;font-style:normal;text-decoration:none;color:#F00;background-color:transparent\">✅</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>* Contact your customer success manager to learn how to get access to these lists.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"future-releases\">Future releases</h3>\n <a href=\"#future-releases\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We are working on enriching our threat feeds even further. In the next months we are going to provide more IP lists, specifically we are looking into lists for cloud providers and Carrier-grade Network Address Translation (CG-NAT).</p>"],"published_at":[0,"2022-07-07T13:57:12.000+01:00"],"updated_at":[0,"2024-10-09T23:19:32.714Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2Tzt8uJ45h3eGJfb3frnwx/beead46ba7c5f44a68a852b53ce7b7bb/new-waf-intelligence-feeds.png"],"tags":[1,[[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"lGCLqAT2SMojMzw5b6aio"],"name":[0,"WAF"],"slug":[0,"waf"]}],[0,{"id":[0,"6hv2Z69PGr0qU411KfQNUE"],"name":[0,"Threat Intelligence"],"slug":[0,"threat-intelligence"]}],[0,{"id":[0,"3ZEx7HXKLHG0LIUpQQmNEe"],"name":[0,"VPN"],"slug":[0,"vpn"]}],[0,{"id":[0,"4jt6rPFxNfAl9vuQ2yBJ01"],"name":[0,"Botnet"],"slug":[0,"botnet"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Daniele Molteni"],"slug":[0,"daniele"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3Zh7G3qA4Y20jQXIMgwzOq/1b466a0034dff783ebc2c99595e2e1b6/daniele.jpg"],"location":[0,"London, UK"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Cloudflare is expanding our WAF’s threat intelligence capabilities by adding four new managed IP lists that can be used as part of any custom firewall rule."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"New WAF intelligence feeds Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"Translated for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"Translated for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/new-waf-intelligence-feeds"],"metadata":[0,{"title":[0,"New WAF intelligence feeds"],"description":[0,"Cloudflare is expanding our WAF’s threat intelligence capabilities by adding four new managed IP lists that can be used as part of any custom firewall rule."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1szK36uukJVNXzKq3a5iiZ/f5ceba2f7518d5f81ddbe67704fb6ab5/new-waf-intelligence-feeds-a3c4u5.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/new-waf-intelligence-feeds/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">New WAF intelligence feeds</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2022-07-07</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="https://blog-cloudflare-com.translate.goog/tag/waf/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">WAF</a><a href="https://blog-cloudflare-com.translate.goog/tag/threat-intelligence/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Threat Intelligence</a><a href="https://blog-cloudflare-com.translate.goog/tag/vpn/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">VPN</a><a href="https://blog-cloudflare-com.translate.goog/tag/botnet/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Botnet</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Cloudflare is expanding our WAF’s threat intelligence capabilities by adding four new managed IP lists that can be used as part of any custom firewall rule<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/daniele/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3Zh7G3qA4Y20jQXIMgwzOq/1b466a0034dff783ebc2c99595e2e1b6/daniele.jpg" alt="Daniele Molteni" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/daniele/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Daniele Molteni</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="NePL8" prefix="r7" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"5S4ZSavngXmsFSpNQmonE4"],"title":[0,"Bring your own license and threat feeds to use with Cloudflare One"],"slug":[0,"bring-your-own-threat-feeds-with-cloudflare-one"],"excerpt":[0,"Today, we are announcing new integrations that enable our customers to integrate third-party threat intel data with the rich threat intelligence from Cloudflare One products — all within the Cloudflare dashboard"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4UWp9SHYI1zOwvZLQJO9xJ/8b5ec9ed29bcded983fb195002a4ea52/image4-12.png\" alt=\"Bring your own license and threat feeds to use with Cloudflare One\" class=\"kg-image\" width=\"1800\" height=\"1013\" loading=\"lazy\"/>\n \n </figure><p>At Cloudflare, we strive to make our customers’ lives simpler by building products that solve their problems, are extremely easy to use, and integrate well with their existing tech stack. Another element of ensuring that we fit well with existing deployments is integrating seamlessly with additional solutions that customers subscribe to, and making sure those solutions work collaboratively together to solve a pain point.</p><p>Today, we are announcing new integrations that enable our customers to integrate third-party threat intel data with the rich threat intelligence from <a href=\"https://www.cloudflare.com/cloudflare-one/\">Cloudflare One</a> products — all within the Cloudflare dashboard. We are releasing this feature in partnership with Mandiant, Recorded Future, and VirusTotal, and will be adding new partners in the coming months.</p><p>Customers of these threat intel partners can upload their API keys to the Cloudflare Security Center to enable the use of additional threat data to create rules within Cloudflare One products such as Gateway and Magic Firewall, and infrastructure security products including the Web Application Firewall and API Gateway. Additionally, search results from Security Center’s threat investigations portal will also be automatically enriched with licensed data.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"entering-your-api-keys\">Entering your API keys</h3>\n <a href=\"#entering-your-api-keys\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Customers will be able to enter their keys by navigating to Security Center → Reference Data, and clicking on the ellipsis next to desired rows and selecting “Edit API key”. Once a valid key has been added, the status listed on the row should change from “No key provided” to “Active key”.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7olsgmCCo4KsMyoIsyRY8M/e26259c724d6cf3e3a051471205162d8/image3-17.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1157\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"mandiant\">Mandiant</h3>\n <a href=\"#mandiant\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Mandiant Advantage customers with a Threat Intelligence subscription can enter their API keys and leverage Mandiant’s most popular feeds of FQDN and IP address indicators of security threats and their related context throughout Cloudflare One products.</p><p>These include lists organized by threat category and aggregations of most active malicious infrastructure. By curating the most recent data and data relevant to your infrastructure on the Cloudflare network, Cloudflare will make it easy to take advantage of active and relevant indicators of malicious activity from Mandiant’s extensive threat intelligence data. Cloudflare takes care of importing the data and refreshing it regularly to help protect you from the latest threats Mandiant sees on the frontlines. Cloudflare products such as Gateway, Magic Firewall, and Web Application Firewall (WAF) will have access to the threat intelligence data and make it easy to operationalize using the same rule builder you use today.</p><blockquote><p>“As cyber threats continue to rapidly evolve, organizations require up-to-date and relevant intelligence integrated with their preferred technology solutions to comprehensively protect their environments. Together, Mandiant and Cloudflare are enabling our mutual customers to better protect themselves from malicious actors that are active on the front lines right now”.- Robert Wallace, Senior Director, Strategy, Mandiant</p></blockquote>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3sti3ubfVuuTUinM3pEBed/3ed079d7423fb15cc998471e7a1776ee/image1-16.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1459\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"recorded-future\">Recorded Future</h3>\n <a href=\"#recorded-future\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Recorded Future customers can upload their API key to unlock use of Security Control Feeds. Once you have set up your API key, Recorded Future intelligence will also be available in the rule builder of Cloudflare Gateway and Magic Firewall. Cloudflare will present the intelligence that is relevant to and actionable by the product being configured. Intelligence will be regularly updated for you, freeing you to focus on the security policies and actions that are relevant for your organization.</p><p>For example, customers will be able to create a rule that blocks connections where the source or destination IP is in the Security Control feed “Command and Control - IP Addresses [Prevent]”. This list will be automatically updated daily for each customer who has a valid API key.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4NJzP1xP9jelwjASBg1l33/b7265ffc5d55676991b906b91c5056b2/image2-21.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"979\" loading=\"lazy\"/>\n \n </figure><blockquote><p>As threats accelerate and converge in the world around us, Recorded Future and Cloudflare are working together to empower customers with the right intelligence at the right time, to keep our people and infrastructure safe.- Craig Adams, Chief Product &amp; Engineering officer, Recorded Future</p></blockquote>\n <div class=\"flex anchor relative\">\n <h3 id=\"virustotal\">VirusTotal</h3>\n <a href=\"#virustotal\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Virus Total Premium customers can upload their API key to augment and enrich Security Center search results for IPs, domains, and URLs. In the future we plan to add additional object types such as binary files.</p><p>Results will be automatically populated within a new card in the ‘Investigate’ tab. When searching an IP address, you will see a summary of the IP address information from VirusTotal including the overall results of the last analysis (e.g., harmless, suspicious, malicious, etc.), reputation score, tags, community votes, and the top files (if any) associated with that IP address by communications.</p><blockquote><p>“Cybersecurity teams face a challenging environment as attackers become more sophisticated. They need complete visibility and real-time threat intelligence from multiple sources to combat malicious threats. We are partnering with Cloudflare to help our mutual customers outsmart adversaries.”- Emiliano Martinez Contreras, Head of Product for VirusTotal — Google</p></blockquote>\n <div class=\"flex anchor relative\">\n <h3 id=\"want-to-get-started\">Want to get started?</h3>\n <a href=\"#want-to-get-started\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If you are interested in gaining access during our beta testing phase, please complete this <a href=\"https://forms.gle/fJLNCuYueAzUHgy49\">form</a>. And if there are additional data vendors you would like to see us integrate with, including your own sources, click <a href=\"https://forms.gle/fJLNCuYueAzUHgy49\">here</a>.</p>"],"published_at":[0,"2022-06-20T14:57:23.000+01:00"],"updated_at":[0,"2024-10-09T23:19:03.113Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4bWAt1rVMY2jSOUjYNjs3g/06a7e27220010194a66c2fadbb1293fd/bring-your-own-threat-feeds-with-cloudflare-one.png"],"tags":[1,[[0,{"id":[0,"6bljxh2niQ2pK6vN9pv8JH"],"name":[0,"Cloudflare One Week"],"slug":[0,"cloudflare-one-week"]}],[0,{"id":[0,"4Z2oveL0P0AeqGa5lL4Vo1"],"name":[0,"Cloudflare One"],"slug":[0,"cloudflare-one"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"3QNaVNNpUXrfZYUGDJkXwA"],"name":[0,"Cloudflare Zero Trust"],"slug":[0,"cloudflare-zero-trust"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Patrick R. Donahue"],"slug":[0,"patrick"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1LQFonIW7hvlt7UKRMOzlk/268d04eef37cd375ab2063158e74dea2/patrick.png"],"location":[0,"San Francisco, CA"],"website":[0,"https://www.cloudflare.com"],"twitter":[0,"@prdonahue"],"facebook":[0,null]}],[0,{"name":[0,"Deeksha Lamba"],"slug":[0,"deeksha"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5UymPn1AgDAuPUWOwJ3Xo7/7d4d2acb15925ce4b09bccdf45bf39e4/deeksha.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,"@deekshalamba"],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Today, we are announcing new integrations that enable our customers to integrate third-party threat intel data with the rich threat intelligence from Cloudflare One products — all within the Cloudflare dashboard."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Bring your own license and threat feeds to use with Cloudflare One Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/bring-your-own-threat-feeds-with-cloudflare-one"],"metadata":[0,{"title":[0,"Bring your own license and threat feeds to use with Cloudflare One"],"description":[0,"Today, we are announcing new integrations that enable our customers to integrate third-party threat intel data with the rich threat intelligence from Cloudflare One products — all within the Cloudflare dashboard."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5qbYxQTcKkaXYBoeSQzdhV/9b44b01e02cfb7f48b70e9a5035eeac3/bring-your-own-threat-feeds-with-cloudflare-one-zEHDW8.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/bring-your-own-threat-feeds-with-cloudflare-one/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Bring your own license and threat feeds to use with Cloudflare One</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2022-06-20</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-one-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare One Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-one/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare One</a><a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Zero Trust</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Today, we are announcing new integrations that enable our customers to integrate third-party threat intel data with the rich threat intelligence from Cloudflare One products — all within the Cloudflare dashboard<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/patrick/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1LQFonIW7hvlt7UKRMOzlk/268d04eef37cd375ab2063158e74dea2/patrick.png" alt="Patrick R. Donahue" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/patrick/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Patrick R. Donahue</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/deeksha/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5UymPn1AgDAuPUWOwJ3Xo7/7d4d2acb15925ce4b09bccdf45bf39e4/deeksha.jpg" alt="Deeksha Lamba" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/deeksha/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Deeksha Lamba</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="ZviLmQ" prefix="r8" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"Fu3hogbCQJRzmHcjxXcYr"],"title":[0,"Area 1 threat indicators now available in Cloudflare Zero Trust"],"slug":[0,"phishing-threat-indicators-in-zero-trust"],"excerpt":[0,"Area 1’s massive datasets of phishing campaign TTPs, seed infrastructure and threat models are now combined with Cloudflare’s extensive network and global insight into the origins of DNS, email or web traffic"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6Mu8JLRZV79uzq8CEnM6Kf/7c0b95b72bc0886fd3cf8446f9a0dbd6/image2-19.png\" alt=\"\" class=\"kg-image\" width=\"1801\" height=\"1013\" loading=\"lazy\"/>\n \n </figure><p>Over the last several years, both Area 1 and Cloudflare built pipelines for ingesting threat indicator data, for use within our products. During the acquisition process we compared notes, and we discovered that the overlap of indicators between our two respective systems was smaller than we expected. This presented us with an opportunity: as one of our first tasks in bringing the two companies together, we have started bringing Area 1’s threat indicator data into the Cloudflare suite of products. This means that all the products today that use indicator data from Cloudflare’s own pipeline now get the benefit of Area 1’s data, too.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6KzkecE9CozKd2k81Az2i3/5d80c2dc7331a26f7c50f63ca6eb75fa/image1-13.png\" alt=\"\" class=\"kg-image\" width=\"1095\" height=\"646\" loading=\"lazy\"/>\n \n </figure><p>Area 1 built a data pipeline focused on identifying new and active phishing threats, which now supplements the Phishing category available today in Gateway. If you have a policy that references this category, you’re already benefiting from this additional threat coverage.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-cloudflare-identifies-potential-phishing-threats\">How Cloudflare identifies potential phishing threats</h3>\n <a href=\"#how-cloudflare-identifies-potential-phishing-threats\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare is able to combine the data, procedures and techniques developed independently by both the Cloudflare team and the Area 1 team prior to acquisition. Customers are able to benefit from the work of both teams across the suite of Cloudflare products.</p><p>Cloudflare curates a set of data feeds both from our own network traffic, OSINT sources, and numerous partnerships, and applies custom false positive control. Customers who rely on Cloudflare are spared the software development effort as well as the operational workload to distribute and update these feeds. Cloudflare handles this automatically, with updates happening as often as every minute.</p><p>Cloudflare is able to go beyond this and work to proactively identify phishing infrastructure in multiple ways. With the Area 1 acquisition, Cloudflare is now able to apply the adversary-focused threat research approach of Area1 across our network. A team of threat researchers track state-sponsored and financially motivated threat actors, newly disclosed CVEs, and current phishing trends.</p><p>Cloudflare now operates mail exchange servers for hundreds of organizations around the world, in addition to its DNS resolvers, <a href=\"https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/\">Zero Trust</a> suite, and network services. Each of these products generates data that is used to enhance the security of all of Cloudflare’s products. For example, as part of mail delivery, the mail engine performs domain lookups, scores potential phishing indicators via <a href=\"https://www.cloudflare.com/learning/ai/what-is-machine-learning/\">machine learning</a>, and fetches URLs. Data which can now be used through Cloudflare’s offerings.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-cloudflare-area-1-identifies-potential-phishing-threats\">How Cloudflare Area 1 identifies potential phishing threats</h3>\n <a href=\"#how-cloudflare-area-1-identifies-potential-phishing-threats\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Cloudflare Area 1 team operates a suite of web crawling tools designed to <a href=\"https://www.cloudflare.com/learning/email-security/how-to-prevent-phishing/\">identify phishing pages</a>, capture phishing kits, and highlight attacker infrastructure. In addition, Cloudflare Area 1 threat models assess campaigns based on signals gathered from threat actor campaigns; and the associated IOCs of these campaign messages are further used to enrich Cloudflare Area 1 threat data for future campaign discovery. Together these techniques give Cloudflare Area 1 a leg up on identifying the indicators of compromise for an attacker prior to their attacks against our customers. As part of this proactive approach, Cloudflare Area 1 also houses a team of threat researchers that track state-sponsored and financially motivated threat actors, newly disclosed CVEs, and current phishing trends. Through this research, analysts regularly insert phishing indicators into an extensive indicator management system that may be used for our email product or any other product that may query it.</p><p>Cloudflare Area 1 also collects information about phishing threats during our normal operation as the mail exchange server for hundreds of organizations across the world. As part of that role, the mail engine performs domain lookups, scores potential phishing indicators via machine learning, and fetches URLs. For those emails found to be malicious, the indicators associated with the email are inserted into our indicator management system as part of a feedback loop for subsequent message evaluation.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-cloudflare-data-will-be-used-to-improve-phishing-detection\">How Cloudflare data will be used to improve phishing detection</h3>\n <a href=\"#how-cloudflare-data-will-be-used-to-improve-phishing-detection\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In order to support Cloudflare products, including Gateway and Page Shield, Cloudflare has a data pipeline that ingests data from partnerships, OSINT sources, as well as threat intelligence generated in-house at Cloudflare. We are always working to curate a threat intelligence data set that is relevant to our customers and actionable in the products Cloudflare supports. This is our North star: what data can we provide that enhances our customer’s security without requiring our customers to manage the complexity of data, relationships, and configuration. We offer a variety of security threat categories, but some major focus areas include:</p><ul><li><p>Malware distribution</p></li><li><p>Malware and Botnet Command &amp; Control</p></li><li><p>Phishing,</p></li><li><p>New and newly seen domains</p></li></ul><p>Phishing is a threat regardless of how the potential phishing link gets entry into an organization, whether via email, SMS, calendar invite or shared document, or other means. As such, detecting and blocking phishing domains has been an area of active development for Cloudflare’s threat data team since almost its inception.</p><p>Looking forward, we will be able to incorporate that work into Cloudflare Area 1’s phishing email detection process. Cloudflare&#39;s list of phishing domains can help identify malicious email when those domains appear in the sender, delivery headers, message body or links of an email.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"1-1-3-greater-dataset-sharing-between-cloudflare-and-area-1\">1+1 = 3: Greater dataset sharing between Cloudflare and Area 1</h3>\n <a href=\"#1-1-3-greater-dataset-sharing-between-cloudflare-and-area-1\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Threat actors have long had an unfair advantage — and that advantage is rooted in the knowledge of their target, and the time they have to set up specific campaigns against their targets. That dimension of time allows threat actors to set up the right infrastructure, perform reconnaissance, stage campaigns, perform test probes, observe their results, iterate, improve and then launch their ‘production’ campaigns. This precise element of time gives us the opportunity to discover, assess and proactively filter out campaign infrastructure prior to campaigns reaching critical mass. But to do that effectively, we need visibility and knowledge of threat activity across the public IP space.</p><p>With Cloudflare’s extensive network and global insight into the origins of DNS, email or web traffic, combined with Cloudflare Area 1’s datasets of campaign tactics, techniques, and procedures (TTPs), seed infrastructure and threat models — we are now better positioned than ever to help organizations secure themselves against sophisticated threat actor activity, and regain the advantage that for so long has been heavily weighted towards the bad guys.</p><p>If you’d like to extend Zero Trust to your email security to <a href=\"https://www.cloudflare.com/zero-trust/products/email-security/\">block advanced threats</a>, contact your Customer Success manager, or request a Phishing Risk Assessment <a href=\"https://www.cloudflare.com/lp/emailsecurity/\">here</a>.</p>"],"published_at":[0,"2022-06-20T14:28:53.000+01:00"],"updated_at":[0,"2024-10-09T23:19:01.610Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4MMmvshiBuGHvrXDs9vuOw/28cd3ba25cd01a0c4a039aebe35f4361/phishing-threat-indicators-in-zero-trust.png"],"tags":[1,[[0,{"id":[0,"6bljxh2niQ2pK6vN9pv8JH"],"name":[0,"Cloudflare One Week"],"slug":[0,"cloudflare-one-week"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"J61Eszqn98amrYHq4IhTx"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"]}],[0,{"id":[0,"2Kxh34kIQRA3gyymmhJpsR"],"name":[0,"Email Security"],"slug":[0,"email-security"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"2FQK880QI5lKEUCjVHBber"],"name":[0,"1.1.1.1"],"slug":[0,"1-1-1-1"]}],[0,{"id":[0,"15qx2Nvwrm4X8zknw3vXgC"],"name":[0,"Cloudflare Gateway"],"slug":[0,"gateway"]}],[0,{"id":[0,"3QNaVNNpUXrfZYUGDJkXwA"],"name":[0,"Cloudflare Zero Trust"],"slug":[0,"cloudflare-zero-trust"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Area 1’s massive datasets of phishing campaign TTPs, seed infrastructure and threat models are now combined with Cloudflare’s extensive network and global insight into the origins of DNS, email or web traffic."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Area 1 threat indicators now available in Cloudflare Zero Trust Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/phishing-threat-indicators-in-zero-trust"],"metadata":[0,{"title":[0,"Area 1 threat indicators now available in Cloudflare Zero Trust"],"description":[0,"Area 1’s massive datasets of phishing campaign TTPs, seed infrastructure and threat models are now combined with Cloudflare’s extensive network and global insight into the origins of DNS, email or web traffic."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4DaDrJa0yIJ6m4hbygl6DE/97024e96cce4f5b1b85ab528a074706a/phishing-threat-indicators-in-zero-trust-8ysgyS.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/phishing-threat-indicators-in-zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Area 1 threat indicators now available in Cloudflare Zero Trust</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2022-06-20</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-one-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare One Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/product-news/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="https://blog-cloudflare-com.translate.goog/tag/zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Zero Trust</a><a href="https://blog-cloudflare-com.translate.goog/tag/email-security/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Email Security</a><a href="https://blog-cloudflare-com.translate.goog/tag/security/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="https://blog-cloudflare-com.translate.goog/tag/1-1-1-1/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">1.1.1.1</a><a href="https://blog-cloudflare-com.translate.goog/tag/gateway/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Gateway</a><a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Zero Trust</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Area 1’s massive datasets of phishing campaign TTPs, seed infrastructure and threat models are now combined with Cloudflare’s extensive network and global insight into the origins of DNS, email or web traffic<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="1xH7LJ" prefix="r9" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"1iIplOzXKw2PKTAmKATBf9"],"title":[0,"Investigating threats using the Cloudflare Security Center"],"slug":[0,"security-center-investigate"],"excerpt":[0,"The data we glean from attacks trains our machine learning models and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1t7EBa4f8rMCmdVb6XxRqL/b85a03315fe9915468a65833b051b697/image1-12.png\" alt=\"Investigating threats using the Cloudflare Security Center\" class=\"kg-image\" width=\"1801\" height=\"1013\" loading=\"lazy\"/>\n \n </figure><p>Cloudflare blocks a <i>lot</i> of diverse security threats, with some of the more interesting attacks targeting the “long tail” of the millions of Internet properties we protect. The data we glean from these attacks trains our <a href=\"https://www.cloudflare.com/learning/ai/what-is-machine-learning/\">machine learning models</a> and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that.</p><p>All customers will soon be granted access to our new threat investigations portal, <i>Investigate</i>, in the Cloudflare Security Center (first launched in December 2021). Additionally, we’ll be annotating threats across our analytics platform with this intelligence to streamline security workflows and tighten feedback loops.</p><!--kg-card-begin: html--><div style=\"position: relative; padding-top: 55%;\"><iframe src=\"https://iframe.videodelivery.net/89d7bdad3765f4d0bf7977b13b56aef2?preload=true&poster=https%3A%2F%2Fvideodelivery.net%2F89d7bdad3765f4d0bf7977b13b56aef2%2Fthumbnails%2Fthumbnail.jpg%3Ftime%3D%26height%3D600\" style=\"border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;\" allow=\"accelerometer; gyroscope; autoplay; encrypted-media; picture-in-picture;\" allowfullscreen=\"true\"></iframe></div>\n<p></p><!--kg-card-end: html--><p>What sorts of data might you want to look up here? Let’s say you’re seeing an IP address in your logs and want to learn which hostnames have pointed to it via <a href=\"https://www.cloudflare.com/learning/dns/what-is-dns/\">DNS</a>, or you’re seeing a cluster of attacks come from an autonomous system (AS) you’re not familiar with. Or maybe you want to investigate a domain name to see how it’s been categorized from a threat perspective. Simply enter any of those items into the omni search box, and we’ll tell you everything we know.</p><p>IPs and hostnames will be available to query this week, followed by AS details to give you insight into the networks that communicate with your Cloudflare accounts. Next month as we move to general availability we’ll add data types and properties. Integrations with partners will allow you to use your existing license keys to see all your threat data in a single, unified interface. We also plan to show how both your infrastructure and corporate employees are interacting with any objects you look up, e.g., you can see how many times an IP triggers a WAF or API Shield rule, or how many times your employees attempted to resolve a domain that’s known to serve malware.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"annotations-in-the-dashboard-actionable-intelligence-in-context\">Annotations in the dashboard: actionable intelligence in context</h2>\n <a href=\"#annotations-in-the-dashboard-actionable-intelligence-in-context\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Looking up threat data on an ad hoc basis is great, but it’s better when that data is annotated directly in logs and analytics. Starting this week, we will begin rolling out intelligence that is available in <i>Investigate</i> in the dashboard where it is relevant to your workflow. We’re starting with the web application firewall analytics for your websites that are behind Cloudflare.</p><p>Say you are investigating a security alert for a large number of requests that are blocked by a web application firewall rule. You might see that the alert was caused by an IP address probing your website for commonly exploited software vulnerabilities. If the IP in question were a cloud IP or flagged as an anonymizer, contextual intelligence will show that information directly on the analytics page.</p><p>This context can help you see patterns. Are attacks coming from anonymizers or the Tor network? Are they coming from cloud virtual machines? An IP is just an IP. But seeing a credential stuffing attack coming from anonymizers is a pattern that enables a proactive response, “Is my bot management configuration up-to-date?”</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/234fVUM8Un89bcl5uuwlDx/b817074e5b9a2ee54ade9a573917720b/image2-11.png\" alt=\"Analytics view of top events showing requests coming from anonymizer\" class=\"kg-image\" width=\"482\" height=\"286\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"cloudflares-network-vantage-point-and-how-this-informs-our-data\">Cloudflare’s network vantage point and how this informs our data</h2>\n <a href=\"#cloudflares-network-vantage-point-and-how-this-informs-our-data\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The scale at which each product suite operates at Cloudflare is staggering. At peak, Cloudflare handles 44 million HTTP requests a second, from more than <b>250 cities</b> in over <b>100 countries</b>. The Cloudflare network responds to over <b>1.2 trillion DNS queries per day</b>, and it has <b>121 Tbps of network capacity</b> to serve traffic and mitigate denial of service attacks across all products. But on top of this immense scale, Cloudflare’s architecture enables refining raw data and combining intelligence from all of our products to paint a holistic picture of the security landscape.</p><p>We are able to take signals refined from the raw data generated by each product and combine them with signals from other products and capabilities to enhance our network and threat data capabilities. It is a common paradigm for security products to be built to have positive flywheel effects among users of the products. If one customer sees a new piece of malware, an endpoint protection vendor can deploy an update that will detect and block this malware for all their other customers. If a botnet attacks one customer, this provides information that can be used to find the signature of that botnet and protect other customers. If a device participates in a DDoS (Distributed Denial of Service) attack, that information can be used to make the network able to faster detect and mitigate future DDoS attacks. Cloudflare’s breadth of product offerings means that the flywheel effect benefits to users accumulate not just between users, but <i>between products as well</i>.</p><p>Let’s look at some examples:</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"dns-resolution-and-certificate-transparency\">DNS resolution and certificate transparency</h3>\n <a href=\"#dns-resolution-and-certificate-transparency\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>First, Cloudflare operates 1.1.1.1, one of the largest recursive DNS resolvers in the world. We operate it in a privacy-forward manner, so here at Cloudflare we do not know who or what IP performed a query, nor are we able to correlate queries together to distinct anonymous users. However, through the requests the resolver handles, Cloudflare sees newly registered and newly seen domains. Additionally, Cloudflare has one of the most advanced SSL/TLS encryption products on the market, and as part of that is a member organization helping to maintain the Certificate Transparency logs. These are public logs of every TLS certificate issued by a root certificate authority that is trusted by web browsers. Between these two products, Cloudflare has an unmatched view of what domains are out there on the Internet and when they become active. We use this information not only to populate our new and newly seen domains categories for our Gateway product, but we feed these domains into machine learning models that label suspicious or potentially malicious domains early in their lifecycle.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"email-security\">Email security</h3>\n <a href=\"#email-security\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As another example, with the acquisition of Area 1, Cloudflare will bring a new set of mutually-reinforcing capabilities into its product offering. All the signals we can generate for a domain from our 1.1.1.1 resolver will become available to help <a href=\"https://www.cloudflare.com/zero-trust/products/email-security/\">identify malicious email</a>, and Area 1’s years of expertise in identifying malicious email will be able to feed back into Cloudflare’s Gateway product and 1.1.1.1 for Families DNS resolver. In the past, data integrations like this would have been performed by IT or security teams. Instead, data will be able to flow seamlessly between the points on your organization’s <a href=\"https://www.cloudflare.com/learning/security/what-is-an-attack-surface/\">attack surface</a>, mutually reinforcing the quality of the analysis and classification. The entire Cloudflare Zero Trust toolkit, including request logging, blocking, and <a href=\"https://www.cloudflare.com/learning/access-management/what-is-browser-isolation/\">remote browser isolation</a> will be available to handle potentially malicious links delivered via email, using the same policies already in place for other security risks.</p><p>Over the last few years, Cloudflare has integrated the use of machine learning in many of our product offerings, but today we’ve launched a new tool that puts the data and signals that power our <a href=\"https://www.cloudflare.com/network-security/\">network security</a> into our customer’s hands as well. Whether responding to security incidents, <a href=\"https://www.cloudflare.com/learning/security/glossary/what-is-threat-hunting/\">threat hunting</a>, or proactively setting security policies to protect for your organization, you, human, can now be part of the Cloudflare network as well. Cloudflare’s unique position in the network means that your insights can be fed back into the network to protect not just your organization across all Cloudflare products it uses, but also can participate in mutual insight and defense among all Cloudflare customers.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"looking-forward\">Looking forward</h2>\n <a href=\"#looking-forward\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare can <a href=\"https://www.cloudflare.com/application-services/products/securitycenter/\">cover your organization’s whole attack surface</a>: defending websites, protecting devices and SaaS applications with Cloudflare Zero Trust, your locations and offices with Magic Transit, and your email communications. Security Center is here to make sure you have all the information you need to understand the <a href=\"https://www.cloudflare.com/learning/security/what-is-cyber-security/\">cyber security risks</a> present today, and to help you defend your organization using Cloudflare.</p><p>“What is the wiper malware that I hear about on the news, and how do I protect my company from it?” We hear your questions, and we’re going to give you answers. Not just raw information, but what is relevant to you and how you use the Internet. We have big plans for Security Center. A file scanning portal will provide you with information about JavaScript files seen by Page Shield, executable files scanned by Gateway, and the ability to upload and scan files. Indicators of Compromise like IP addresses and domains will link to information about the relevant threat actors, when known, giving you more information about the techniques and tactics you are faced with, and information about how Cloudflare products can be used to defend against them. CVE search will let you find information on software vulnerabilities, along with the same easy-to-understand Cloudflare perspective you are used to reading on this blog to help decode the jargon and technical language. With today’s release, we’re just getting started.</p>"],"published_at":[0,"2022-03-14T12:59:21.000+00:00"],"updated_at":[0,"2024-10-09T23:17:35.269Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7b8b6NNEh8AA78mcnETCCF/06aa44e916c0238fe2b13da214e32e79/security-center-investigate.png"],"tags":[1,[[0,{"id":[0,"3DmitkNK6euuD5BlhuvOLW"],"name":[0,"Security Week"],"slug":[0,"security-week"]}],[0,{"id":[0,"6hv2Z69PGr0qU411KfQNUE"],"name":[0,"Threat Intelligence"],"slug":[0,"threat-intelligence"]}],[0,{"id":[0,"5C9Ynjy9WylFnH2iVz2xma"],"name":[0,"Security Center"],"slug":[0,"security-center"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Patrick R. Donahue"],"slug":[0,"patrick"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1LQFonIW7hvlt7UKRMOzlk/268d04eef37cd375ab2063158e74dea2/patrick.png"],"location":[0,"San Francisco, CA"],"website":[0,"https://www.cloudflare.com"],"twitter":[0,"@prdonahue"],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"The data we glean from attacks trains our machine learning models and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Investigating threats using the Cloudflare Security Center Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"Translated for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"Translated for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/security-center-investigate"],"metadata":[0,{"title":[0,"Investigating threats using the Cloudflare Security Center"],"description":[0,"The data we glean from attacks trains our machine learning models and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4b35WZF52eub35pIhUAcMq/92c1ecaba06e66bf97fd627c39585f57/security-center-investigate-6hJj0O.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/security-center-investigate/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Investigating threats using the Cloudflare Security Center</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2022-03-14</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/security-week/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security Week</a><a href="https://blog-cloudflare-com.translate.goog/tag/threat-intelligence/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Threat Intelligence</a><a href="https://blog-cloudflare-com.translate.goog/tag/security-center/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security Center</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">The data we glean from attacks trains our machine learning models and improves the efficacy of our network and application security products, but historically hasn’t been available to query directly. This week, we’re changing that<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/patrick/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1LQFonIW7hvlt7UKRMOzlk/268d04eef37cd375ab2063158e74dea2/patrick.png" alt="Patrick R. Donahue" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/patrick/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Patrick R. Donahue</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="Z2wx83I" prefix="r10" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"7vPEi0QIhuwlb050ssMzXB"],"title":[0,"A quirk in the SUNBURST DGA algorithm"],"slug":[0,"a-quirk-in-the-sunburst-dga-algorithm"],"excerpt":[0,"On Wednesday, December 16, the RedDrip Team from QiAnXin Technology released their discoveries (tweet, github) regarding the random subdomains associated with the SUNBURST malware which was present in the SolarWinds Orion compromise. I"],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4y3VW6SLU672JNv2ExYhPt/5dc75005a2adcc9bb306992098032dad/Sunburst.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"898\" loading=\"lazy\"/>\n \n </figure><p>On Wednesday, December 16, the RedDrip Team from QiAnXin Technology <a href=\"https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug\">released their discoveries</a> (<a href=\"https://twitter.com/RedDrip7/status/1339168187619790848?s=20\">tweet</a>, <a href=\"https://github.com/RedDrip7/SunBurst_DGA_Decode\">github</a>) regarding the random subdomains associated with the SUNBURST malware which was present in the SolarWinds Orion compromise. In studying queries performed by the malware, Cloudflare has uncovered additional details about how the Domain Generation Algorithm (DGA) encodes data and exfiltrates the compromised hostname to the command and control servers.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"background\">Background</h3>\n <a href=\"#background\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The RedDrip team discovered that the DNS queries are created by combining the previously reverse-engineered unique guid (based on hashing of hostname and MAC address) with a payload that is a custom base 32 encoding of the hostname. The article they published includes screenshots of decompiled or reimplemented C# functions that are included in the compromised DLL. This background primer summarizes their work so far (which is published in Chinese).</p><p>RedDrip discovered that the DGA subdomain portion of the query is split into three parts:</p><p><code><b>&lt;encoded_guid&gt; + &lt;byte&gt; + &lt;encoded_hostname&gt;</b></code></p><p>An example malicious domain is:</p><p><code><b>7cbtailjomqle1pjvr2d32i2voe60ce2.appsync-api.us-east-1.avsvmcloud.com</b></code></p><p>Where the domain is split into the three parts as</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-yzei{border-color:#343434;font-size:18px;font-weight:bold;text-align:center;vertical-align:middle}\n.tg .tg-z6tn{border-color:#343434;font-size:18px;text-align:center;vertical-align:middle}\n.tg .tg-8tm3{background-color:#efefef;border-color:#343434;font-size:18px;text-align:center;vertical-align:middle}\n.tg .tg-v8qi{background-color:#efefef;border-color:#343434;font-size:18px;font-weight:bold;text-align:center;vertical-align:middle}\n</style>\n<table class=\"tg\" style=\"undefined;table-layout: fixed; width: 683px\">\n<colgroup>\n<col style=\"width: 265px\">\n<col style=\"width: 180px\">\n<col style=\"width: 238px\">\n</colgroup>\n<thead>\n <tr>\n <th class=\"tg-8tm3\"><span style=\"font-style:normal;text-decoration:none\">Encoded guid (15 chars)</span></th>\n <th class=\"tg-v8qi\"><span style=\"font-weight:bold\">byte</span></th>\n <th class=\"tg-v8qi\"><span style=\"font-weight:400;font-style:normal\">Encoded hostname</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-yzei\"><span style=\"font-weight:700;font-style:normal;text-decoration:none\">7cbtailjomqle1p</span></td>\n <td class=\"tg-z6tn\"><span style=\"font-weight:700;font-style:normal;text-decoration:none\">j</span></td>\n <td class=\"tg-z6tn\"><span style=\"font-weight:700;font-style:normal;text-decoration:none\">vr2d32i2voe60ce2</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>The work from the RedDrip Team focused on the encoded hostname portion of the string, we have made additional insights related to the encoded hostname and encoded guid portions.</p><p>At a high level the encoded hostnames take one of two encoding schemes. If all of the characters in the hostname are contained in the set of domain name-safe characters <code>&quot;0123456789abcdefghijklmnopqrstuvwxyz-_.&quot;</code> then the <code>OrionImprovementBusinessLayer.CryptoHelper.Base64Decode</code> algorithm, explained in the article, is used. If there are characters outside of that set in the hostname, then the <code>OrionImprovementBusinessLayer.CryptoHelper.Base64Encode</code> is used instead and ‘00’ is prepended to the encoding. This allows us to simply check if the first two characters of the encoded hostname are ‘00’ and know how the hostname is encoded.</p><p>These function names within the compromised DLL are meant to resemble the names of legitimate functions, but in fact perform the message encoding for the malware. The DLL function Base64Decode is meant to resemble the legitimate function name base64decode, but its purpose is actually to perform the encoding of the query (which is a variant of base32 encoding).</p><p>The RedDrip Team has posted Python code for encoding and decoding the queries, including identifying random characters inserted into the queries at regular character intervals.</p><p>One potential issue we encountered with their implementation is the inclusion of a check clause looking for a ‘0’ character in the encoded hostname (line 138 of the decoding script). This line causes the decoding algorithm to ignore any encoded hostnames that do not contain a ‘0’. We believe this was included because ‘0’ is the encoded value of a ‘0’, ‘.’, ‘-’ or ‘_’. Since fully qualified hostnames are comprised of multiple parts separated by ‘.’s, e.g. ‘example.com’, it makes sense to be expecting a ‘.’ in the unencoded hostname and therefore only consider encoded hostnames containing a ‘0’. However, this causes the decoder to ignore many of the recorded DGA domains.</p><p>As we explain below, we believe that long domains are split across multiple queries where the second half is much shorter and unlikely to include a ‘.’. For example ‘www2.example.c’ takes up one message, meaning that in order to transmit the entire domain ‘www2.example.c’ a second message containing just ‘om’ would also need to be sent. This second message does not contain a ‘.’ so its encoded form does not contain a ‘0’ and it is ignored in the RedDrip team’s implementation.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-quirk-hostnames-are-split-across-multiple-queries\">The quirk: hostnames are split across multiple queries</h3>\n <a href=\"#the-quirk-hostnames-are-split-across-multiple-queries\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>A list of observed queries performed by the malware was published publicly on <a href=\"https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt\">GitHub</a>. Applying the decoding script to this set of queries, we see some queries appear to be truncated, such as <code>grupobazar.loca</code>, but also some decoded hostnames are curiously short or incomplete, such as “com”, “.com”, or a single letter, such as “m”, or “l”.</p><p>When the hostname does not fit into the available payload section of the encoded query, it is split up across multiple queries. Queries are matched up by matching the GUID section after applying a byte-by-byte exclusive-or (xor).</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"analysis-of-first-15-characters\">Analysis of first 15 characters</h3>\n <a href=\"#analysis-of-first-15-characters\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Noticing that long domains are split across multiple requests led us to believe that the first 16 characters encoded information to associate multipart messages. This would allow the receiver on the other end to correctly re-assemble the messages and get the entire domain. The RedDrip team identified the first 15 bytes as a GUID, we focused on those bytes and will refer to them subsequently as the header.</p><p>We found the following queries that we believed to be matches without knowing yet the correct pairings between message 1 and message 2 (payload has been altered):</p><p><b>Part 1 - Both decode to “www2.example.c”</b><code>r1q6arhpujcf6jb6qqqb0trmuhd1r0ee.appsync-api.us-west-2.avsvmcloud.com</code><code>r8stkst71ebqgj66qqqb0trmuhd1r0ee.appsync-api.us-west-2.avsvmcloud.com</code></p><p><b>Part 2 - Both decode to “om”</b><code>0oni12r13ficnkqb2h.appsync-api.us-west-2.avsvmcloud.com</code><code>ulfmcf44qd58t9e82h.appsync-api.us-west-2.avsvmcloud.com</code></p><p>This gives us a final combined payload of <b>www2.example.com</b></p><p>This example gave us two sets of messages where we were confident the second part was associated with the first part, and allowed us to find the following relationship where message1 is the header of the first message and message2 is the header of the second:</p><p><code>_Base32Decode(message1) XOR KEY = Base32Decode(message2)_</code></p><p>The KEY is a single character. That character is xor’d with each byte of the Base32Decoded first header to produce the Base32Decoded second header. We do not currently know how to infer what character is used as the key, but we can still match messages together without that information. Since A XOR B = C where we know A and C but not B, we can instead use A XOR C = B. This means that in order to pair messages together we simply need to look for messages where XOR’ing them together results in a repeating character (the key).</p><p><code><i>Base32Decode(message1) XOR Base32Decode(message2) = KEY</i></code></p><p>Looking at the examples above this becomes</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-wa1i{font-weight:bold;text-align:center;vertical-align:middle}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\">\n<thead>\n <tr>\n <th class=\"tg-wa1i\"></th>\n <th class=\"tg-wa1i\">Message 1</th>\n <th class=\"tg-wa1i\">Message 2</th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-style:normal;text-decoration:none\">Header</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">r1q6arhpujcf6jb</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">0oni12r13ficnkq</span></td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">Base32Decode (binary)</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">101101000100110110111111011</span><br><span style=\"font-weight:400;font-style:normal;text-decoration:none\">010010000000011001010111111</span><br><span style=\"font-weight:400;font-style:normal;text-decoration:none\">01111000101001110100000101</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">110110010010000011010010000</span><br><span style=\"font-weight:400;font-style:normal;text-decoration:none\">001000110110110100111100100</span><br><span style=\"font-weight:400;font-style:normal;text-decoration:none\">00100011111111000000000100</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>We’ve truncated the results slightly, but below shows the two binary representations and the third line shows the result of the XOR.</p><p>101101000100110110111111011010010000000011001010111111011110001010011101110110010010000011010010000001000110110110100111100100001000111111110000011011010110110101101101011011010110110101101101011011010110110101101101</p><p>We can see the XOR result is the repeating sequence ‘01101101’meaning the original key was 0x6D or ‘m’.</p><p>We provide the following python code as an implementation for matching paired messages (Note: the decoding functions are those provided by the RedDrip team):</p>\n <pre class=\"language-bash\"><code class=\"language-bash\"># string1 is the first 15 characters of the first message\n# string2 is the first 15 characters of the second message\ndef is_match(string1, string2):\n encoded1 = Base32Decode(string1)\n encoded2 = Base32Decode(string2)\n xor_result = [chr(ord(a) ^ ord(b)) for a,b in zip(encoded1, encoded2)]\n match_char = xor_result[0]\n for character in xor_result[0:9]:\n if character != match_char:\n return False, None\n return True, &quot;0x{:02X}&quot;.format(ord(match_char))</pre></code>\n <p>The following are additional headers which based on the payload content Cloudflare is confident are pairs (the payload has been redacted because it contains hostname information that is not yet publicly available):</p><p><b>Example 1:</b></p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:18px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-0lax{font-size:20px;text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\">\n<thead>\n <tr>\n <th class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">vrffaikp47gnsd4a</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">aob0ceh5l8cr6mco</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>xorkey: 0x4E</p><p><b>Example 2:</b></p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-0lax{font-size:20px;text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\">\n<thead>\n <tr>\n <th class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">vrffaikp47gnsd4a</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">aob0ceh5l8cr6mco</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>xorkey: 0x54</p><p><b>Example 3:</b></p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-60hs{font-size:20px;text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\">\n<thead>\n <tr>\n <th class=\"tg-60hs\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">vvu7884g0o86pr4a</span></th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-60hs\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">6gpt7s654cfn4h6h</span></td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html--><p>xorkey: 0x2B</p><p>We hypothesize that the xorkey can be derived from the header bytes and/or padding byte of the two messages, though we have not yet determined the relationship.</p><hr/>\n <div class=\"flex anchor relative\">\n <h2 id=\"update-12-18-2020\">Update (12/18/2020):</h2>\n <a href=\"#update-12-18-2020\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Erik Hjelmvik posted a blog <a href=\"https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS\">explaining where the xor key is located</a>. Based on his code, we provide a python implementation for converting the header (first 16 bytes) into the decoded GUID as a string. Messages can then be paired by matching GUID’s to reconstruct the full hostname.</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">def decrypt_secure_string(header):\n decoded = Base32Decode(header[0:16])\n xor_key = ord(decoded[0])\n decrypted = [&quot;{0:02x}&quot;.format(ord(b) ^ xor_key) for b in decoded]\n return &#039;&#039;.join(decrypted[1:9])</pre></code>\n <p>Updated example:</p><!--kg-card-begin: html--><style type=\"text/css\">\n.tg {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-wa1i{font-weight:bold;text-align:center;vertical-align:middle}\n.tg .tg-0lax{text-align:left;vertical-align:top}\n</style>\n<table class=\"tg\">\n<thead>\n <tr>\n <th class=\"tg-wa1i\"></th>\n <th class=\"tg-wa1i\">Message 1</th>\n <th class=\"tg-wa1i\">Message 2</th>\n </tr>\n</thead>\n<tbody>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-style:normal;text-decoration:none\">Header</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">r1q6arhpujcf6jb</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">0oni12r13ficnkq</span></td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">Base32Decode Header (hex)</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">b44dbf6900cafde29d05</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">d920d2046da7908ff004</td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">Base32Decode first byte (xor key)</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">0xb4</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">0xd9</td>\n </tr>\n <tr>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">XOR result (hex)\n</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">00f90bddb47e495629</span></td>\n <td class=\"tg-0lax\"><span style=\"font-weight:400;font-style:normal;text-decoration:none\">00f90bddb47e495629</td>\n </tr>\n</tbody>\n</table><!--kg-card-end: html-->"],"published_at":[0,"2020-12-18T00:30:00.000+00:00"],"updated_at":[0,"2024-10-10T00:44:19.855Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5lypqCT188LGgkVsUxun0K/beb63fa4b8ff6791d1e97ff470214230/a-quirk-in-the-sunburst-dga-algorithm.png"],"tags":[1,[[0,{"id":[0,"3QNaVNNpUXrfZYUGDJkXwA"],"name":[0,"Cloudflare Zero Trust"],"slug":[0,"cloudflare-zero-trust"]}],[0,{"id":[0,"15qx2Nvwrm4X8zknw3vXgC"],"name":[0,"Cloudflare Gateway"],"slug":[0,"gateway"]}],[0,{"id":[0,"2UVIYusJwlvsmPYl2AvSuR"],"name":[0,"Deep Dive"],"slug":[0,"deep-dive"]}],[0,{"id":[0,"6hv2Z69PGr0qU411KfQNUE"],"name":[0,"Threat Intelligence"],"slug":[0,"threat-intelligence"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Nick Blazier"],"slug":[0,"nick-blazier"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6EqysfZ9O4B7fiqUFUpnuO/eb6b0dbd838f46c5275aed437b76e95f/nick-blazier.png"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"A quirk in the SUNBURST DGA algorithm Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm"],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/a-quirk-in-the-sunburst-dga-algorithm/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">A quirk in the SUNBURST DGA algorithm</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2020-12-18</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Zero Trust</a><a href="https://blog-cloudflare-com.translate.goog/tag/gateway/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Gateway</a><a href="https://blog-cloudflare-com.translate.goog/tag/deep-dive/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Deep Dive</a><a href="https://blog-cloudflare-com.translate.goog/tag/threat-intelligence/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Threat Intelligence</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">On Wednesday, December 16, the RedDrip Team from QiAnXin Technology released their discoveries (tweet, github) regarding the random subdomains associated with the SUNBURST malware which was present in the SolarWinds Orion compromise. I<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/nick-blazier/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6EqysfZ9O4B7fiqUFUpnuO/eb6b0dbd838f46c5275aed437b76e95f/nick-blazier.png" alt="Nick Blazier" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/nick-blazier/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Nick Blazier</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island><astro-island uid="29upqm" prefix="r11" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"post":[0,{"id":[0,"30Os7AAonyy1SG1pggD5FD"],"title":[0,"Trend data on the SolarWinds Orion compromise"],"slug":[0,"solarwinds-orion-compromise-trend-data"],"excerpt":[0,"Analyzing SUNBURST malware activity seen on Cloudflare’s public DNS resolver."],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/pVVnPbefiJuZhkvsVLLhM/3d6ca91de10b453190dc842acd3d936f/image5-25-2.png\" alt=\"Investigation into SolarWinds Orion compromise\" class=\"kg-image\" width=\"2000\" height=\"949\" loading=\"lazy\"/>\n \n </figure><p>On Sunday, December 13, <a href=\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\">FireEye released a report</a> on a sophisticated supply chain attack leveraging SolarWinds&#39; Orion IT monitoring software. The malware was distributed as part of regular updates to Orion and had a valid digital signature.</p><p>One of the notable features of the malware is the way it hides its network traffic using a multi-staged approach. First, the malware determines its command and control (C2) server using a domain generation algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com.</p><p>These algorithmically generated strings are added as a subdomain of one of the following <a href=\"https://www.cloudflare.com/learning/dns/glossary/what-is-a-domain-name/\">domain names</a> to create a new fully-qualified domain name to resolve:</p><p><code>.appsync-api[.]eu-west-1[.]avsvmcloud[.]com.appsync-api[.]us-west-2[.]avsvmcloud[.]com.appsync-api[.]us-east-1[.]avsvmcloud[.]com.appsync-api[.]us-east-2[.]avsvmcloud[.]com</code></p><p>An example of such a domain name might look like: <code>hig4gcdkgjkrt24v6isue7ax09nksd[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com</code></p><p>The <a href=\"https://www.cloudflare.com/learning/dns/what-is-dns/\">DNS query response</a> to a subdomain of one of the above will return a CNAME record that points to another C2 domain, which is used for <a href=\"https://www.cloudflare.com/learning/security/what-is-data-exfiltration/\">data exfiltration</a>. The following subdomains were identified as the C2 domains used for data exfiltration:</p><p><code>freescanonline[.]comdeftsecurity[.]comthedoccloud[.]comwebsitetheme[.]comhighdatabase[.]comincomeupdate[.]comdatabasegalore[.]companhardware[.]comzupertech[.]comvirtualdataserver[.]comdigitalcollege[.]org</code></p>\n <div class=\"flex anchor relative\">\n <h3 id=\"malware-activity-seen-on-cloudflares-public-dns-resolver-1-1-1-1\">Malware activity seen on Cloudflare’s public DNS resolver 1.1.1.1</h3>\n <a href=\"#malware-activity-seen-on-cloudflares-public-dns-resolver-1-1-1-1\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Using the published details about the network observables of the malware, we analyzed DNS query traffic to the identified malicious hostnames. Because 1.1.1.1 has a strong, audited privacy policy, we are unable to identify the source IP of users connecting to the malicious hostname — we can only see aggregated trends.</p><p>We first noticed a spike in DNS traffic through Cloudflare’s 1.1.1.1 resolver to avsvmcloud[.]com starting in April 2020:</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2ZWBXX6eLKIO4Of4Kg39Uv/d67581bab72556724dc9124bfcad9765/image2-38.png\" alt=\"We first noticed a spike in DNS traffic through Cloudflare’s 1.1.1.1 resolver to avsvmcloud[.]com starting in April 2020\" class=\"kg-image\" width=\"1999\" height=\"1523\" loading=\"lazy\"/>\n \n </figure><p>Reviewing the subdomain data, a specific pattern of DGA domains emerged as early as April. These subdomains followed a format, (e.g. {dga-string}[.]appsync-api[.]{region}[.]avsvmcloud[.]com). As time went on, the attackers added more unique subdomains. The graph below depicts the unique newly observed subdomains of avsvmcloud[.]com on a weekly basis.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1D3doHZQGkyshB57sqmSco/85272385a5a21be1cf94d22c046e2c79/image1-60.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1421\" loading=\"lazy\"/>\n \n </figure><p>As illustrated in the graphs, we noticed a major rise in activity over the summer, with total subdomains observed reaching steady state in September.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7AABBhH8eD4LqWDdLRFW1S/9c60e34e2eba12abc3171cc5d600b97e/image4-23.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1377\" loading=\"lazy\"/>\n \n </figure><p>While the growth of unique names slowed down starting in October, the geographic distribution continued to change during the entire course of the attack. During the first few weeks of the attack, queries originated almost entirely from clients in North America and Europe. In May, the source of queries began to spread across the globe. By July, the queries began to cluster again, this time in South America, before returning to originate primarily from North America in November.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4j9ld3C9PcQdXv1Whn9Ir2/22021d3d41a25fedeb497a89fa2412bb/image3.gif\" alt=\"\" class=\"kg-image\" width=\"1200\" height=\"657\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"protecting-our-customers-from-malicious-activity\">Protecting our customers from malicious activity</h3>\n <a href=\"#protecting-our-customers-from-malicious-activity\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare’s 1.1.1.1 resolver has strict privacy protections, so we can only see trends of this attack. We cannot notify users that they might be compromised, because we intentionally do not know who those users are. For customers of Cloudflare Gateway, however, we can help them block these types of threats, and identify cases where they might be compromised.</p><p>Cloudflare Gateway consists of features that secure how users and devices connect to the Internet. Gateway’s DNS filtering feature is built on the same technology that powers 1.1.1.1, and adds security filtering and logging.</p><p>Following the FireEye report, Cloudflare blocked access to the C2 domains used in this attack for customers using the “Malware” category in Gateway, as well as for customers using 1.1.1.1 for Families (1.1.1.2 &amp; 1.1.1.3).</p><p>Our response team is working with customers to search logs for queries related to the malicious domains. Gateway customers can also download logs of their DNS query traffic and investigate on their own.</p>"],"published_at":[0,"2020-12-16T17:00:41.000+00:00"],"updated_at":[0,"2024-11-22T18:59:08.834Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4Q40OQS4X9lWrapglxsMpG/d9b0f5173f28bac09d7ea15d92146f95/solarwinds-orion-compromise-trend-data.png"],"tags":[1,[[0,{"id":[0,"3QNaVNNpUXrfZYUGDJkXwA"],"name":[0,"Cloudflare Zero Trust"],"slug":[0,"cloudflare-zero-trust"]}],[0,{"id":[0,"15qx2Nvwrm4X8zknw3vXgC"],"name":[0,"Cloudflare Gateway"],"slug":[0,"gateway"]}],[0,{"id":[0,"J61Eszqn98amrYHq4IhTx"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"3yArjf0gLKZy8ObEDxbNNi"],"name":[0,"Trends"],"slug":[0,"trends"]}],[0,{"id":[0,"6hv2Z69PGr0qU411KfQNUE"],"name":[0,"Threat Intelligence"],"slug":[0,"threat-intelligence"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Malavika Balachandran Tadeusz"],"slug":[0,"malavika"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/16Bo7z9Gk1GMc1C6ZeGooZ/4095eddee72765a4c03696dfcc23f7a5/malavika.png"],"location":[0,null],"website":[0,null],"twitter":[0,"@malavikabala"],"facebook":[0,null]}],[0,{"name":[0,"Jesse Kipp"],"slug":[0,"jesse"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Analyzing SUNBURST malware activity seen on Cloudflare’s public DNS resolver"],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Trend data on the SolarWinds Orion compromise Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data"],"metadata":[0,{"title":[0,"Trend data on the SolarWinds Orion compromise"],"description":[0,"Analyzing SUNBURST malware activity seen on Cloudflare’s public DNS resolver"],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5gAwFPZps1Auz2mQhlBb9V/ce0d544797a671398e679095b8362c86/solarwinds-orion-compromise-trend-data-xKEvt7.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children> <article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"> <div class="w-100"> <a href="https://blog-cloudflare-com.translate.goog/solarwinds-orion-compromise-trend-data/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Trend data on the SolarWinds Orion compromise</h2></a> <p class="f3 fw5 gray5 my" data-testid="post-date">2020-12-16</p> <div class=""> <a href="https://blog-cloudflare-com.translate.goog/tag/cloudflare-zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Zero Trust</a><a href="https://blog-cloudflare-com.translate.goog/tag/gateway/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cloudflare Gateway</a><a href="https://blog-cloudflare-com.translate.goog/tag/zero-trust/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Zero Trust</a><a href="https://blog-cloudflare-com.translate.goog/tag/security/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="https://blog-cloudflare-com.translate.goog/tag/trends/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Trends</a><a href="https://blog-cloudflare-com.translate.goog/tag/threat-intelligence/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Threat Intelligence</a> </div> <p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Analyzing SUNBURST malware activity seen on Cloudflare’s public DNS resolver.<!-- -->...</p> <ul class="author-lists flex pl0"> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/malavika/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/16Bo7z9Gk1GMc1C6ZeGooZ/4095eddee72765a4c03696dfcc23f7a5/malavika.png" alt="Malavika Balachandran Tadeusz" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/malavika/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Malavika Balachandran Tadeusz</a> </div></li> <li class="list flex items-center pr2 mb3"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/8yRqemLc8lLhE9Uwzd7G4/a303cca84c1840cc961831f1ea6b4213/jesse.jpg" alt="Jesse Kipp" width="62" height="62"></a> <div class="author-name-tooltip"> <a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB" class="fw4 f3 no-underline black">Jesse Kipp</a> </div></li> </ul> </div> </article><!--astro:end--> </astro-island> <div class="pagination mw-100 center mv5 ph3 w-100 tc"> <div class="center w-50-l w-100"> <div class="flex items-center justify-center justify-around-m "> <ul class="flex list ml3" style="padding-inline-start:inherit"> <li class="gray"><a class="no-underline underline-hover dib-m dib-l mr1 gray3 " href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB">1</a></li> </ul> </div> </div> </div> </main> <footer class="pt4 pb4 pl1 pr1 main-footer"> <div class="mw8 center dn db-l ph3"> <div class="flex flex-row justify-between"> <div class="main-footer__menu-group"> <ul id="getting-started-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="getting-started-menu">Getting Started<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/plans/free/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="free-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Free plans</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/enterprise/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="enterprise" class="f1 blue3 no-underline underline-hover" rel="noreferrer">For enterprises</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/plans/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compare-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compare plans</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/about-your-website/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="get-a-recommendation" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Get a recommendation</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/plans/enterprise/demo/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="request-a-demo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Request a demo</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/plans/enterprise/contact/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="contact-sales" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Contact Sales</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="company-menu" class="list pl0"> <li class="pt1 pb1 f1" data-submenu="company-menu">Resources<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/learning/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="learning-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Learning Center</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/analysts/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="analysts-report" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Analyst reports</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://radar.cloudflare.com/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Radar</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://cloudflare.tv/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="tv" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare TV</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/case-studies/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="case-studies" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Case Studies</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/resource-hub/?resourcetype%3DWebinar" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="webinars" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Webinars</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/resource-hub/?resourcetype%3DWhitepaper" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="white-papers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">White Papers</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://developers.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-docs" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer docs</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/the-net/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="theNet" class="f1 blue3 no-underline underline-hover" rel="noreferrer">theNet</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="sales-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="sales-menu">Solutions<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/connectivity-cloud/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connectivity-cloud" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connectivity cloud</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/zero-trust/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="zero-trust" class="f1 blue3 no-underline underline-hover" rel="noreferrer">SSE and SASE services</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/application-services/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="application-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Application services</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/network-services/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network services</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/developer-platform/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer services</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="community-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="community-menu">Community<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://community.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="community_hub" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Community Hub</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/galileo/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="galileo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Project Galileo</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/athenian/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="athenian" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Athenian Project</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/campaigns/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="cloudflare-for-campaigns" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare for Campaigns</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/partners/technology-partners/cidp/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="critical-infrastructure-defense-project" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Critical Infrastructure Defense Project</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/connect2024/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connect-2024" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connect 2024</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="support-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="support-menu">Support<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://support.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="help-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Help center</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflarestatus.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="status" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Status</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/compliance/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compliance" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compliance</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/gdpr/introduction/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="gdpr" class="f1 blue3 no-underline underline-hover" rel="noreferrer">GDPR</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/trust-hub/abuse-approach/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="trust-and-safety" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Trust & Safety</a></li> </ul> </div> <div class="main-footer__menu-group"> <ul id="company-menu" class="list pl0"> <li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="company-menu">Company<i class="icon-caret-down"></i></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/about-overview/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">About Cloudflare</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/people/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="our_team" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Our team</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://cloudflare.net/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="investor-relations" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Investor relations</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/press/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Press</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/careers/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="careers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Careers</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/diversity-equity-and-inclusion/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="diversity-equity-inclusion" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Diversity, equity & inclusion</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/impact/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="impact-ESG" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Impact/ESG</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/network/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network_map" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network Map</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/press-kit/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press-kit" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Logos & press kit</a></li> <li class="pt1 pb1"><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/partners/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="partners" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Become a partner</a></li> </ul> </div> </div> </div> <div class="mw8 center ph3"> <div class="flex flex-row flex-wrap justify-center md:justify-between items-center pt4"> <div class="flex flex-row space-x-4 items-start w-25-l pb4 pb0-l"> <a target="_blank" rel="noreferrer" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.facebook.com/Cloudflare/" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/facebook.svg" alt="facebook"></a><a target=" _blank" rel="noreferrer" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://x.com/Cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/twitter.svg" alt="X"></a><a target="_blank" rel="noreferrer" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.linkedin.com/company/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/linkedin.svg" alt="linkedin"></a><a target="_blank" rel="noreferrer" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.youtube.com/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/youtube.svg" alt="youtube"></a><a target="_blank" rel="noreferrer" href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.instagram.com/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/instagram.svg" alt="instagram"></a> </div> <div class="w-70-l tr-l tl-ns"> <div> <span class="main-footer__copyright f1">© <!-- -->2025<!-- --> Cloudflare, Inc.<!-- --> </span><span class="main-footer__copyright f1">|</span><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/privacypolicy/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Privacy Policy<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/website-terms/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Terms of Use<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/disclosure/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Report Security Issues<!-- --> </a><span class="main-footer__copyright f1">|</span><img class="mw2 ph1" src="/images/privacy-options.svg" alt="Privacy Options"><a href="https://blog-cloudflare-com.translate.goog/author/jesse/?_x_tr_sl=pl&_x_tr_tl=de&_x_tr_hl=en-GB#cookie-settings" id="ot-sdk-btn" class="ot-sdk-show-settings main-footer__copyright f1 no-underline underline-hover"><span class="brandGray5">Cookie Preferences</span> </a><span class="main-footer__copyright f1">|</span><a href="https://translate.google.com/website?sl=pl&tl=de&hl=en-GB&u=https://www.cloudflare.com/trademark/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Trademark<!-- --> </a> </div> </div> </div> </div> </footer> <script defer src="https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015" integrity="sha512-ZpsOmlRQV6y907TI0dKBHq9Md29nnaEIPlkf84rnaERnq6zvWvPUqr2ft8M1aS28oN72PdrCzSjY4U6VaAw1EQ==" data-cf-beacon="{"rayId":"9138da29efa9409e","version":"2025.1.0","serverTiming":{"name":{"cfExtPri":true,"cfL4":true,"cfSpeedBrain":true,"cfCacheStatus":true}},"token":"2bc156e5f250476cb274d269511ffb57","b":1}" crossorigin="anonymous"></script> <script>function gtElInit() {var lib = new google.translate.TranslateService();lib.translatePage('pl', 'de', function () {});}</script> <script src="https://translate.google.com/translate_a/element.js?cb=gtElInit&hl=en-GB&client=wt" type="text/javascript"></script> </body> </html>