Incident Report: Feb 18-21 DDoS + Cloudflare Outage
Overview
Railway experienced a multi-day incident combining DDoS attacks with upstream infrastructure failures. The incident spanned February 18-21, 2026, affecting customer workload availability across all regions.
Root Causes
The incident resulted from a confluence of factors:
-
Reduced Network Capacity: A fiber cut between EU and US-East on February 16th degraded upstream bandwidth, weakening Railway’s ability to absorb hostile traffic that would normally be manageable.
-
Escalating Attack Waves: Nine distinct DDoS attacks occurred across four days, evolving from L4 TCP floods to L7 HTTP attacks, requiring adaptive mitigation strategies.
-
Primary Vendor Failure: During Attack 6 on February 19th, Railway’s upstream DDoS mitigation vendor experienced a product outage “at the exact moment we needed countermeasures engaged,” forcing an emergency pivot to Fastly.
-
Shared Infrastructure Vulnerability: “When hostile traffic overwhelms a proxy, every workload on that proxy is affected, even if a customer has their own WAF vendor in front of their workload.”
Customer Impact
- Intermittent 4xx and 5xx errors for HTTP proxied workloads
- Complete service unreachability during peak attack windows
- Approximately 2,700 active endpoints experienced SSL certificate errors during WAF migration
- HTTP requests exceeding 10 seconds were prematurely terminated due to configuration issues
- Legitimate Asia traffic was briefly blocked due to WAF tuning
Additionally, on February 20th, Cloudflare experienced an incident in which Railway’s BGP IP prefixes were removed from Cloudflare, creating a compounding failure where customers who had weathered the DDoS attacks were then hit with an entirely separate upstream networking outage. A few minutes after discovering the issue, the team found their prefix was labeled as Withdrawn on the Cloudflare dashboard, and immediately triggered a re-announcement via the dashboard, which fixed the issue within a minute.
Key Remediation Actions
- Deployed Fastly WAF globally for all customers
- Isolated Business Class and Enterprise customers to dedicated proxy infrastructure
- Restored upstream network capacity after fiber cut recovery
- Enhanced SSL provisioning pipeline for non-standard domain configurations
- Improved monitoring for bandwidth degradation and DDoS risk correlation