Route leak incident on January 22, 2026

Route leak incident on January 22, 2026

Authors: Bryton Herdes and Tom Strickx

Summary

On January 22, 2026, Cloudflare accidentally triggered a Border Gateway Protocol (BGP) route leak lasting 25 minutes from its Miami data center. The misconfiguration affected IPv6 traffic exclusively, causing network congestion, elevated packet loss, and higher latency for some customers. External networks were also impacted as their traffic was inadvertently routed through Cloudflare’s Miami location.

BGP Route Leaks Explained

A route leak occurs when a network advertises traffic it shouldn’t handle. The incident violated “valley-free routing” principles by redistributing peer-received routes to other peers and upstream providers. According to RFC7908 classifications, this represented a combination of Type 3 and Type 4 route leaks. The misconfiguration caused Cloudflare (AS13335) to advertise Meta’s prefixes (AS32934) to Lumen transit providers (AS3356), violating proper BGP hierarchy.

Incident Timeline

Time (UTC)Event
2026-01-22 19:52Configuration change merged in network automation repository
2026-01-22 20:25Automation deployed to Miami router; unintended BGP advertisements begin
2026-01-22 20:40Network team begins investigating anomalous route advertisements
2026-01-22 20:44Incident formally raised for coordinated response
2026-01-22 20:50Bad configuration manually reverted; automation paused
2026-01-22 21:47Triggering code change reverted from repository
2026-01-22 22:07Automation confirmed operational without routing policy bug
2026-01-22 22:40Automation resumed on Miami router

Root Cause Analysis

The incident stemmed from removing BGP announcements for Bogotá infrastructure that no longer required Miami routing. This deletion created an overly permissive policy matching “internal” route types — which includes Internal BGP routes — causing all IPv6 backbone prefixes to be advertised externally.

As described: “The policy would now mark every prefix of type ‘internal’ as acceptable, and proceed to add some informative communities to all matching prefixes. But more importantly, the policy also accepted the route through the policy filter, which resulted in the prefix — which was intended to be ‘internal’ — being advertised externally.”

The JunOS operating system’s “route-type internal” parameter matches non-external routes, triggering unexpected redistribution to peers and providers.

Impact

The leaked announcements caused backbone congestion between Miami and Atlanta. At peak, approximately 12 gigabits per second of traffic was discarded by firewall filters designed to accept only Cloudflare and customer traffic. This resulted in packet loss and latency increases for affected customer traffic, plus disruption to external networks whose prefixes were leaked.

Remediation and Prevention Measures

Immediate Actions:

  • Patched automation failure causing the misconfiguration
  • Implemented BGP community-based safeguards explicitly rejecting provider/peer-sourced routes on export policies
  • Integrated routing policy evaluation into CI/CD pipelines detecting empty or erroneous terms
  • Enhanced early detection mechanisms for configuration issues

Long-term Improvements:

  • Validating RFC9234 (BGP roles and Only-to-Customer Attribute) vendor implementations before rollout
  • Promoting RPKI Autonomous System Provider Authorization (ASPA) adoption for automatic anomalous path rejection

Cloudflare expressed sincere apologies to affected customers and external networks, reaffirming commitment to routing security through IETF and MANRS infrastructure initiatives.