Incident Report: Feb 18-21 DDoS + Cloudflare Outage

Incident Report: Feb 18-21 DDoS + Cloudflare Outage

Overview

Railway experienced a multi-day incident combining DDoS attacks with upstream infrastructure failures. The incident spanned February 18-21, 2026, affecting customer workload availability across all regions.

Root Causes

The incident resulted from a confluence of factors:

  1. Reduced Network Capacity: A fiber cut between EU and US-East on February 16th degraded upstream bandwidth, weakening Railway’s ability to absorb hostile traffic that would normally be manageable.

  2. Escalating Attack Waves: Nine distinct DDoS attacks occurred across four days, evolving from L4 TCP floods to L7 HTTP attacks, requiring adaptive mitigation strategies.

  3. Primary Vendor Failure: During Attack 6 on February 19th, Railway’s upstream DDoS mitigation vendor experienced a product outage “at the exact moment we needed countermeasures engaged,” forcing an emergency pivot to Fastly.

  4. Shared Infrastructure Vulnerability: “When hostile traffic overwhelms a proxy, every workload on that proxy is affected, even if a customer has their own WAF vendor in front of their workload.”

Customer Impact

  • Intermittent 4xx and 5xx errors for HTTP proxied workloads
  • Complete service unreachability during peak attack windows
  • Approximately 2,700 active endpoints experienced SSL certificate errors during WAF migration
  • HTTP requests exceeding 10 seconds were prematurely terminated due to configuration issues
  • Legitimate Asia traffic was briefly blocked due to WAF tuning

Additionally, on February 20th, Cloudflare experienced an incident in which Railway’s BGP IP prefixes were removed from Cloudflare, creating a compounding failure where customers who had weathered the DDoS attacks were then hit with an entirely separate upstream networking outage. A few minutes after discovering the issue, the team found their prefix was labeled as Withdrawn on the Cloudflare dashboard, and immediately triggered a re-announcement via the dashboard, which fixed the issue within a minute.

Key Remediation Actions

  • Deployed Fastly WAF globally for all customers
  • Isolated Business Class and Enterprise customers to dedicated proxy infrastructure
  • Restored upstream network capacity after fiber cut recovery
  • Enhanced SSL provisioning pipeline for non-standard domain configurations
  • Improved monitoring for bandwidth degradation and DDoS risk correlation