Cloudflare Outage Was Triggered by Internal Configuration Failure

Cloudflare experienced a worldwide outage on November 18 after a routine database permissions change unexpectedly cascaded through its routing infrastructure. The event escalated into a sustained disruption, initially prompting suspicion of a major external attack.

But the company has confirmed that an internal configuration issue caused the outage and triggered failures across its global network, according to an article by Simon Sharwood of The Register.

The incident centered on Cloudflare’s database-driven feature file, which is used by its Bot Management system.

The file catalogs malicious bot behavior and is regenerated every few minutes from a ClickHouse cluster. During a permission update intended to broaden access to underlying data, an erroneous query produced extra output, doubling the size of the generated file.

Once the file exceeded the established limits, dependent services began malfunctioning in unpredictable cycles.

According to Cloudflare, the flawed query produced incorrect data only for updated nodes, meaning each five-minute regeneration cycle had a chance of distributing either a valid or an invalid configuration. This created alternating periods of recovery and collapse as conflicting versions propagated throughout the network.

As more nodes adopted the defective configuration, the system eventually settled into a persistent failing state, triggering widespread outages.

Cloudflare identified the source of the corruption, halted further propagation, and inserted a known-good configuration. Then it restarted its core proxy to restore stable operations. The company acknowledged that downstream systems dependent on the proxy encountered additional issues as recovery progressed.

Lawyers evaluating incident-related exposures should review liability contracts, assess evidence of financial issues arising from the outage, and consider operative exclusions and damage caps. Focus on disclosure timing and impacts on service-level commitments.