How a 200-Feature Limit Took Down 20% of the Internet: The Cloudflare Outage Dissected

November 18, 2025. 11:20 AM UTC.

So there I was, mindlessly scrolling through Instagram reels at 2 AM (don't judge me, we all do it), when suddenly my feed got invaded. Not by another “Nadia or Wah shampy wah” meme, but by Cloudflare outage memes.

One meme. Two memes. Five memes. Eight memes. TEN MEMES.

That's when I knew—something BIG had broken on the internet.

You know that feeling when you see the same topic everywhere and your brain goes, "Okay, I NEED to know what happened"? Yeah, that's me. My curious nature is both a blessing and a curse. I can't just scroll past a trending topic without diving deep into the rabbit hole.

So naturally, at 2:30 AM, instead of sleeping like a normal person, I started my investigation. 

My first thought? "Wait, didn't AWS just have a massive outage on Diwali (October 22, 2025)? Is this some kind of cloud provider popularity contest? Are they competing for 'Who Can Break the Internet Better'?"

My Research Framework: The WWHW Method

Whenever I want to understand something complex, I follow a simple framework: WWHW

• Who's involved?

• What happened?

• How did it happen?

• Why did it happen?

Simple, right? So let's start from the beginning.

Google Search #1: "Who is Cloudflare?"

Okay, confession time: Before this outage, I had vaguely heard of Cloudflare but didn't really know what they did. I mean, I'd seen those "Checking your browser..." pages sometimes, but that was about it.

So I did what any self-respecting curious person does—I Googled it.

What is Cloudflare? (The Traffic Police of the Internet)

You know how we have traffic police on roads making sure everything runs smoothly? They stop drunk drivers, catch people jumping red lights, and generally keep chaos from breaking loose?

Cloudflare is basically that, but for the internet.

They're like the bouncer, bodyguard, and speed optimizer of the digital world, all rolled into one massive global network.

Here's what they do:

 Protection: They block bad actors trying to attack websites. DDoS attacks? Blocked. Malicious bots? Stopped. Hackers trying to break in? Not today, Satan.

Speed: They cache your website content across 300+ data centers worldwide. Someone in Tokyo accessing a website hosted in Virginia? Cloudflare serves it from Tokyo servers. Lightning fast.

Scalability: They handle massive traffic spikes so your website doesn't crash when it goes viral (or when you're running a flash sale and everyone wants that 70% discount).

The scale? Cloudflare handles approximately 81 million HTTP requests per second on average. That's not a typo. 81 MILLION. Every. Single. Second.

They power roughly 20% of all websites globally. Discord, Shopify, Canva, Patreon—if you've used the internet today, you've probably interacted with Cloudflare without even knowing it.

So when Cloudflare goes down, it's not just one website that breaks—it's basically a fifth of the internet that collectively decides to take a nap.

Google Search #2: "What are Bots?" (Because I Saw That Term Everywhere)

During my research, I kept seeing "Bot Management" mentioned. So I had to understand: What exactly is a bot?

Bots: The Good, The Bad, and The Ugly

Bots are basically software programs that do tasks on behalf of humans. Think of them as digital employees who work 24/7 without complaining, taking breaks, or asking for a raise.

But here's the thing—just like humans, bots can be good or bad.

The Good Bots (The Heroes We Need)

These are the bots that make the internet actually useful:

• Search engine crawlers (Googlebot, Bingbot): These guys crawl websites to index them for search results. Without them, Google would be useless.

• Monitoring bots: Checking if your website is up and running. The real MVPs when your site goes down at 3 AM.

• Your own API clients: Apps making legitimate requests to fetch data.

• Accessibility bots: Helping people with disabilities navigate websites.

• Social media preview bots: When you paste a link and get that nice preview card? That's a bot fetching the data.

The Bad Bots (The Villains of the Internet)

These are the troublemakers Cloudflare is fighting against:

• DDoS attack bots: Sending millions of fake requests to overwhelm and crash websites. Digital terrorists, basically.

• Scalper bots: Those jerks who buy all the concert tickets or PS5s in 0.5 seconds using automated scripts.

• Credential stuffing bots: Testing millions of stolen username/password combinations to hack accounts.

• Content scraper bots: Stealing your articles, images, and data without permission.

• Click fraud bots: Clicking on ads to drain your advertising budget (and making someone rich in the process).

• Spam bots: Flooding your contact forms with "CLICK HERE FOR CHEAP VIAGRA" messages.

The problem? Modern bad bots are getting really good at pretending to be humans. They mimic mouse movements, simulate realistic browsing patterns, and even solve CAPTCHAs (yes, seriously).

It's literally an arms race between bot creators and bot detectors. Every time Cloudflare gets better at catching bots, the bad guys level up their bots. Rinse and repeat.

Bot Management: The Detective Work

This is where Cloudflare's Bot Management system comes in. For every single request that passes through their network, they analyze dozens of signals:

• IP address reputation (Is this IP known for shady behavior?)

• Browser fingerprint (What fonts do you have installed? Screen resolution? WebGL capabilities?)

• Mouse movement patterns (Humans move erratically; bots move in straight lines)

• Keystroke dynamics (How fast do you type? What's the rhythm?)

• Request timing (Do you wait 0.000001 seconds between clicks? That's suspicious)

• Previous behavior history (Have we seen this pattern before?)

All of this gets fed into a machine learning model that spits out a score from 0-100:

• 0-29: Definitely a bot 

• 30-49: Probably a bot 

• 50-79: Probably human 

• 80-100: Definitely human 

Website owners then set rules like "Block anything scoring below 30" or "Show a CAPTCHA to anything below 50."

This scoring happens in MILLISECONDS for 81 million requests per second.

Mind. Blown. 

The Plot Thickens: My Late-Night Research Continues

At this point, it's 3 AM, I've had two cups of coffee, and I'm deep in technical blog posts. 

But I'm on a mission. I need to know: What actually broke?

The memes were hilarious, but they weren't telling me the technical details. Time to dig deeper.

Google Search #3: "Cloudflare November 2025 Outage Cause"

And that's when I found Cloudflare's official postmortem blog post.

And oh boy, was it a ride.

The outage was triggered by a bug in generation logic for a Bot Management feature file.

Wait, what? A "feature file"? What's that?

More Googling. More coffee. It's 3:30 AM now.

Configuration Files: The Invisible Controllers of the Internet

Okay, let me explain config files because this is crucial to understanding how everything went sideways.

What's a Configuration File?

Think of a config file as a instruction manual for your software. It's a text file that contains settings and rules telling your application how to behave.

Analogy time: Imagine you're setting up a new phone. You have settings like:

• Language: English

• Brightness: 70%

• Notifications: Enabled

• Do Not Disturb: 11 PM - 7 AM

A config file is exactly that, but for software systems.

Simple config file example:

server:

  port: 8080

  timeout: 30 seconds

  max_connections: 1000

security:

  enable_firewall: true

  bot_score_threshold: 30

  rate_limit: 100_requests_per_minute

features:

  - ip_reputation

  - browser_fingerprint

  - mouse_movement_analysis

  - keystroke_dynamics

Why use config files instead of hardcoding values?

• Change settings without recompiling the entire application

• Different configs for development, testing, and production

• Easy rollbacks if something breaks (just revert to the old config)

• Version control your settings (track who changed what and when)

In Cloudflare's case, they had a "feature file" that listed all the machine learning features used for bot scoring. This file would:

1. Get automatically generated every 5 minutes (to adapt to new bot attack patterns)

2. Get pushed to thousands of servers across 300+ data centers globally

3. Get loaded by the bot management module to score incoming traffic

Sounds great, right? Automatic updates to fight evolving threats?

Well, here's the problem nobody thought about:

Config files are treated as "data," not "code." So they usually skip all the rigorous testing that actual code goes through. No unit tests. No staging validation. No gradual rollout with monitoring.

They just get... deployed. To production. Globally. All at once.

What could possibly go wrong? 

The Day the Internet Stood Still

Alright, now that we understand all the pieces, let me walk you through exactly what happened on November 18, 2025.

Grab some popcorn. This is going to be wild.

11:05 AM UTC - The Innocent Change (Famous Last Words)

A database team at Cloudflare was doing some routine maintenance. They were improving security in their ClickHouse database by making access permissions more explicit.

Their intention: Better security, more fine-grained control, fewer security vulnerabilities.

Their thought process: "This is a small, safe change. Just making permissions more explicit. What could go wrong?"

The change was simple: Let users see metadata from underlying database tables they already had access to. Seems harmless, right?

Narrator voice: It was not harmless.

11:20 AM UTC - Everything Starts Burning 

Fifteen minutes after the database change, Cloudflare's monitoring systems start going haywire.

HTTP 500 errors start flooding in. Not just a few. Not hundreds. Millions per minute.

Users around the world start seeing this:

Error 500 - Internal Server Error

The server encountered an internal error and 

was unable to complete your request.

Services affected:

• ChatGPT (OpenAI)

• X/Twitter (Elon Musk probably had a meltdown)

• Discord (gamers worldwide in shambles)

• Shopify (e-commerce crying)

• Truth Social (even Trump's site went down, ironic)

• Canva (designers panicking)

• McDonald's self-service kiosks (YES, REALLY)

Someone actually posted a photo on Reddit of a McDonald's kiosk showing a Cloudflare error. You know it's bad when you can't even order a Big Mac.

What Was Actually Happening?

Remember that feature file I mentioned? The one that gets auto-generated every 5 minutes?

Well, that database permission change? It had an unintended side effect.

The SQL query generating the feature file looked like this:

SELECT name, type 

FROM system.columns 

WHERE table = 'http_requests_features'

ORDER BY name;

Do you see the problem?

IT DOESN'T FILTER BY DATABASE NAME. 

Before the permission change:

• Query only had access to default database

• Returned ~60 features

• File size: Normal 

After the permission change:

• Query could now see BOTH default database AND r0 database

• Returned ~60 features from default + ~60 features from r0

• Total: 120+ features (duplicates from both databases)

• File size: DOUBLED 

The query was basically saying "Give me all columns from the http_requests_features table" without specifying "...but only from the default database."

So when permissions changed and suddenly the query could see two databases, it happily returned data from BOTH.

Classic developer mistake: Making implicit assumptions instead of being explicit.

The fix would have been trivial:

SELECT name, type 

FROM system.columns 

WHERE table = 'http_requests_features'

  AND database = 'default'  -- ← THIS ONE LINE WOULD HAVE PREVENTED EVERYTHING

ORDER BY name;

One missing line. One missing AND clause.

That's all it took to break 20% of the internet.

Let that sink in. 

The Latent Bug Awakens

Now here's where it gets even more interesting (and terrifying).

The oversized feature file (120+ features instead of 60) gets propagated across Cloudflare's global network. Thousands of servers download the new config and try to load it.

And then... PANIC. (Literally.)

Deep in Cloudflare's Rust code, there was this innocent-looking limit:

const MAX_FEATURES: usize = 200;

When engineers wrote this code years ago, they thought:

• "We're currently using ~60 features"

• "Let's set the limit to 200 for a nice safety margin"

• "3x our current usage! We'll NEVER hit that limit!"

Narrator voice: They hit that limit.

Currently that limit is set to 200, well above our current use of ~60 features.

This is what we call a LATENT BUG 

A latent bug is code that's been sitting in production for YEARS, perfectly harmless, until specific conditions trigger it to explode like a landmine.

The limit was always there. The panic code was always there. It just never triggered... until November 18, 2025.

The Rust Panic

Here's what happened when the bot management module tried to load 120+ features:

const MAX_FEATURES: usize = 200;

// Preallocate memory for performance

let mut features = Vec::with_capacity(MAX_FEATURES);

for feature in feature_file.entries() {

    features.push(feature).unwrap(); //  BOOM

}

The software had a limit on the size of the feature file that was below its doubled size. That caused the software to fail.

That .unwrap() call is the culprit. In Rust, unwrap() means: "I'm 100% certain this won't fail. If it does, PANIC and crash the thread."

When the feature count exceeded capacity, push() failed, unwrap() panicked, the thread crashed, and every request handled by that thread returned HTTP 500.

The actual panic message:

thread 'fl2_worker_thread' panicked at 'called Result::unwrap() 

on an Err value: CapacityExceeded'

11:28 - 14:30 UTC: The Oscillating Nightmare (Or: Why Everyone Thought It Was an Attack)

Now here's where the story gets really interesting and showcases why debugging production issues is SO HARD.

The system would fail for 5 minutes, recover, fail again, recover, fail again...

Every five minutes there was a chance of either a good or a bad set of configuration files being generated and rapidly propagated across the network.

Engineers watching the monitoring dashboards were losing their minds. Errors would spike, then drop to normal, then spike again like clockwork every 5 minutes.

This is NOT how internal bugs behave. This is how DDoS attacks behave.

Why the oscillation?

The ClickHouse database cluster had multiple nodes. The permission change was rolling out gradually across the cluster:

At 11:25:

• Node 1:  Updated with new permissions → Query returns duplicates → BAD FILE

• Node 2:  Not updated yet → Query returns clean data → GOOD FILE

• Node 3:  Updated → BAD FILE

• Node 4: Not updated → GOOD FILE

Every 5 minutes, the feature file generation job runs. It hits a random ClickHouse node via load balancing.

Result:

• 11:20 - Hits Node 1 → Bad file → Internet breaks 

• 11:25 - Hits Node 2 → Good file → Internet recovers 

• 11:30 - Hits Node 3 → Bad file → Internet breaks 

• 11:35 - Hits Node 4 → Good file → Internet recovers 

• (Repeat)

Eventually, all nodes got updated, and the failure stabilized in the "everything is broken" state.

The Red Herrings That Made Everything Worse

Coincidence #1: The Status Page Went Down Too

At the exact same time Cloudflare's network started failing, their status page went down.

Plot twist: The status page is hosted completely outside Cloudflare on a third-party provider specifically to avoid this exact situation.

But to the incident response team frantically trying to fix things, it looked like:

• Our network is failing

• Our external status page is failing

• Conclusion: "We're under a coordinated attack!"

They wasted precious minutes investigating an attack that didn't exist.

Coincidence #2: It Looked Like a DDoS Attack

Cloudflare had recently defended against some of the largest DDoS attacks in history—7.3 Tbps attacks.

The oscillating failure pattern, the traffic spikes, the global impact—everything screamed "massive DDoS attack."

Internal incident chat (probably):

11:35 - Engineer 1: "Are we seeing Aisuru attack patterns?"

11:42 - Engineer 2: "Traffic profile matches recent 15 Tbps attack"

11:48 - Engineer 3: "Status page down too, definitely coordinated"

12:05 - Engineer 4: "Wait, attack hypothesis not matching data..."

12:33 - Engineer 5: "Back to internal causes. Something's wrong with our code."

13:15 - Engineer 6: "Found it! Bot Management feature file!"

14:30 UTC: The Fix (Finally!)

After 3 hours and 10 minutes of chaos, engineers finally:

1. Identified the root cause: Oversized feature file

2. Stopped automatic generation: No more new files being created

3. Manually deployed a known-good file: Reverted to the config from before 11:05

4. Force-restarted the core proxy: Fresh start with good config

Core traffic was largely flowing as normal by 14:30.

But it wasn't over yet. Services were coming back, but slowly. There was a massive backlog of failed requests, retry storms, and downstream systems struggling to catch up.

17:06 UTC: Full Recovery

After 5 hours and 46 minutes, everything was finally back to normal.

Total damage:

• Billions of failed requests

• Hundreds of millions of dollars in lost revenue (e-commerce, SaaS, advertising)

• Countless productivity hours lost

• Infinite memes created 

What This Teaches Us (The Real Lessons)

Alright, let me put on my serious hat for a moment. (It's 5 AM now, and I've had way too much coffee, but these lessons are important.)

Lesson 1: One Missing SQL Clause Can Break Everything

That SQL query was missing ONE clause: AND database = 'default'

That's it. That's literally all it took.

Moral of the story: Always be explicit in your queries. Never rely on implicit behavior.

-- BAD: Assumes only one database is visible

SELECT * FROM users WHERE active = true;

-- GOOD: Explicit about everything

SELECT id, name, email 

FROM production.users 

WHERE active = true 

  AND deleted_at IS NULL

  AND database = 'production'

LIMIT 1000;

Lesson 2: Hardcoded Limits Are Time Bombs

The limit is set to 200, well above our current use of ~60 features.

A 3x safety margin felt safe. Until it wasn't.

Pro tip: If you have hardcoded limits in your code, they WILL bite you eventually.

Better approach:

• Make limits configurable

• Add monitoring and alerts when approaching limits

• Fail gracefully instead of panicking

// BAD: Hardcoded limit that panics

const MAX_FEATURES: usize = 200;

features.push(feature).unwrap();

// GOOD: Configurable limit with graceful degradation

let max_features = config.get("max_features").unwrap_or(500);

if features.len() < max_features {

    features.push(feature);

} else {

    log::warn!("Feature limit reached, truncating");

}

Lesson 3: Config Files Need Testing Too

Config files are code. They affect behavior. But we don't test them like code.

What Cloudflare should have had:

def validate_feature_file(file):

    """Validate feature file before deployment"""    

    # Size check

    if file.size > MAX_EXPECTED_SIZE:

        alert("Feature file size anomaly!")

        return False

    # Feature count check

    if file.num_features > MAX_FEATURES:

        alert("Too many features!")

        return False

    # Duplicate check

    if has_duplicates(file.features):

        alert("Duplicate features detected!")

        return False

    return True

Lesson 4: Gradual Rollouts Save Lives (and Websites)

Cloudflare pushed the config file to 100% of servers globally in minutes.

Bad idea.

Better idea: Canary deployment

stages = [1%, 5%, 25%, 50%, 100%]

for percentage in stages:

    deploy_to_percentage(percentage)

    wait(5_minutes)

    if error_rate_increased():

        rollback()

        alert("Config caused errors!")

        return

Lesson 5: The Internet is Fragile (And That's Okay?)

This incident shows how reliant some very important Internet based services are on a relatively few major players.

The three pillars holding up the internet:

• AWS (compute/hosting)

• Cloudflare (CDN/security)

• Microsoft Azure (enterprise)

When one falls, millions of sites go dark.

But here's the thing: We centralize because it works.

Small companies can't afford to:

• Run 300+ global data centers

• Defend against 15 Tbps DDoS attacks

• Hire 24/7 security teams

• Achieve 99.99% uptime

So we rely on specialists. And sometimes, those specialists have a bad day.

Is that acceptable? I don't know. But it's the reality we live in.

The Human Side: What Cloudflare Did Right

Despite the severity, Cloudflare's response was actually exemplary.

CEO Matthew Prince said: "That there was a period of time where our network was not able to route traffic is deeply painful to every member of our team. We know we let you down today."

Within hours, they published:

• Complete technical postmortem

• Actual code snippets showing the bug

• Timeline of events

• Specific action items for prevention

Compare this to companies that:

• Issue vague "we experienced technical difficulties" statements

• Blame "third-party providers" without details

• Never publish root cause analysis

Transparency builds trust. Even after a massive failure.

Conclusion: It's 6 AM and I've Learned Too Much

So here we are. It's 6 AM. I started this research journey at 2 AM after seeing memes on Instagram.

I've consumed an unhealthy amount of coffee. But I've learned something profound:

The internet doesn't break because of sophisticated cyber attacks.

It breaks because a SQL query forgot to add AND database = 'default'.

One missing clause. That's all it took.

And somewhere in YOUR codebase, right now, there's probably a latent bug waiting for the perfect conditions to wake up and cause chaos.

So here's my challenge to you:

Go search your codebase for:

• Hardcoded limits (MAX_, LIMIT_, etc.)

• SQL queries without explicit filters

• .unwrap() or panic! in critical paths

• Config files that aren't validated

Found something scary? Good. Fix it before it becomes a meme. 

P.S. If you made it this far, congrats! You now know more about the Cloudflare outage than 99% of people who saw the memes.

P.P.S. I really need to sleep now. But first, let me check if there are any new memes...

What's your take? Have you ever had a "simple config change" turn into a disaster? Drop your war stories on reddit and tag Enqurious

And if you're interested, let me know what outage you want me to dissect next. The CrowdStrike one from July 2024 is calling my name...