Route leak incident on January 22, 2026
Authors: Bryton Herdes and Tom Strickx
Summary
On January 22, 2026, Cloudflare accidentally triggered a Border Gateway Protocol (BGP) route leak lasting 25 minutes from its Miami data center. The misconfiguration affected IPv6 traffic exclusively, causing network congestion, elevated packet loss, and higher latency for some customers. External networks were also impacted as their traffic was inadvertently routed through Cloudflare’s Miami location.
BGP Route Leaks Explained
A route leak occurs when a network advertises traffic it shouldn’t handle. The incident violated “valley-free routing” principles by redistributing peer-received routes to other peers and upstream providers. According to RFC7908 classifications, this represented a combination of Type 3 and Type 4 route leaks. The misconfiguration caused Cloudflare (AS13335) to advertise Meta’s prefixes (AS32934) to Lumen transit providers (AS3356), violating proper BGP hierarchy.
Incident Timeline
| Time (UTC) | Event |
|---|---|
| 2026-01-22 19:52 | Configuration change merged in network automation repository |
| 2026-01-22 20:25 | Automation deployed to Miami router; unintended BGP advertisements begin |
| 2026-01-22 20:40 | Network team begins investigating anomalous route advertisements |
| 2026-01-22 20:44 | Incident formally raised for coordinated response |
| 2026-01-22 20:50 | Bad configuration manually reverted; automation paused |
| 2026-01-22 21:47 | Triggering code change reverted from repository |
| 2026-01-22 22:07 | Automation confirmed operational without routing policy bug |
| 2026-01-22 22:40 | Automation resumed on Miami router |
Root Cause Analysis
The incident stemmed from removing BGP announcements for Bogotá infrastructure that no longer required Miami routing. This deletion created an overly permissive policy matching “internal” route types — which includes Internal BGP routes — causing all IPv6 backbone prefixes to be advertised externally.
As described: “The policy would now mark every prefix of type ‘internal’ as acceptable, and proceed to add some informative communities to all matching prefixes. But more importantly, the policy also accepted the route through the policy filter, which resulted in the prefix — which was intended to be ‘internal’ — being advertised externally.”
The JunOS operating system’s “route-type internal” parameter matches non-external routes, triggering unexpected redistribution to peers and providers.
Impact
The leaked announcements caused backbone congestion between Miami and Atlanta. At peak, approximately 12 gigabits per second of traffic was discarded by firewall filters designed to accept only Cloudflare and customer traffic. This resulted in packet loss and latency increases for affected customer traffic, plus disruption to external networks whose prefixes were leaked.
Remediation and Prevention Measures
Immediate Actions:
- Patched automation failure causing the misconfiguration
- Implemented BGP community-based safeguards explicitly rejecting provider/peer-sourced routes on export policies
- Integrated routing policy evaluation into CI/CD pipelines detecting empty or erroneous terms
- Enhanced early detection mechanisms for configuration issues
Long-term Improvements:
- Validating RFC9234 (BGP roles and Only-to-Customer Attribute) vendor implementations before rollout
- Promoting RPKI Autonomous System Provider Authorization (ASPA) adoption for automatic anomalous path rejection
Cloudflare expressed sincere apologies to affected customers and external networks, reaffirming commitment to routing security through IETF and MANRS infrastructure initiatives.