On November 18, 2025, ChatGPT went down. So did Spotify. So did a significant chunk of the websites you probably use without thinking about them. The outage lasted nearly six hours, and the cause wasn't a cyberattack or a fiber cut or a failed data center. It was a single oversized configuration file — a file for a bot management feature — that crashed proxy servers globally across one company's network.1
That company was Cloudflare. And the fact that one company's configuration file could take down ChatGPT and Spotify at the same time tells you something important about how the internet actually works.
One company, twenty percent of the internet
Cloudflare is not a household name, but it is, in a very literal sense, everywhere. The company currently manages roughly 20 percent of all global internet traffic, protects over 41 million websites, and operates the largest managed DNS service in the world, with data centers in 337 cities across more than 100 countries.2
To understand what that actually means, it helps to understand what Cloudflare is doing for all those websites. When you type a URL into your browser, your request doesn't go directly to the website's server. It goes to Cloudflare first. Cloudflare checks the request, decides whether it looks legitimate, serves a cached version of the page if it has one, and only forwards the request to the actual origin server if it passes. From the website's perspective, the world sends requests to Cloudflare, and Cloudflare sends them on. From the attacker's perspective, the same is true. To attack a website sitting behind Cloudflare, you have to attack Cloudflare.
Think of it like a building that has replaced its own front door with a service desk staffed by someone whose entire job is to decide who gets in. Most visitors walk up, check in normally, and get waved through without noticing any delay. A few are turned away. And occasionally, someone shows up with a battering ram — except the service desk is made of something the battering ram can't touch, because it was designed specifically to absorb battering rams.
That service desk is what the internet's entire threat defense increasingly runs through. Which is exactly why a bad configuration file there makes ChatGPT disappear.
What a DDoS attack actually is
A DDoS attack, distributed denial of service, is the digital equivalent of filling a road with so many cars that nobody can actually drive on it. The goal isn't to break anything. It's to overwhelm — to flood a target with so much fake traffic, from so many sources at once, that it can't separate real visitors from noise, and falls over trying to keep up.3
The "distributed" part matters. A single computer can only send so much traffic. But a botnet — a network of thousands or millions of devices that have been quietly compromised without their owners knowing, and can be commanded all at once — can send an enormous amount. The compromised devices can be anything: home routers, smart TVs, security cameras, servers. Their owners have no idea. At some point, someone sends a command, and all of them start flooding the same target simultaneously.
In May 2025, Cloudflare blocked what was at that point the largest DDoS attack ever recorded: 7.3 terabits per second of traffic aimed at a single target.4 To put that in context: Cloudflare's total network capacity is 500 terabits per second. The largest attack ever recorded used up about 1.5 percent of what they keep available on standby, at all times, specifically for this purpose.
The attack wasn't unusual in kind, just in size. Cloudflare blocks an average of 209 billion cyberthreats per day.5 The 7.3 terabit attack was a record for scale, not for type.
How the defense actually works, and why no human is pressing a button
Here's the part that I find genuinely interesting, because it sounds like it shouldn't be possible at the speed required.
If an attack peaks at 17 million requests per second — which Cloudflare has also absorbed — there is no version of this where a security engineer sees a dashboard spike and manually intervenes in time. By the time a human noticed, the attack would have been ongoing for seconds or minutes, and the damage would already be done. The system has to decide, on its own, in real time, whether each request is legitimate or part of an attack.
Cloudflare's defense layer watches every packet flowing through its network. When it detects traffic that matches an attack pattern — wrong protocol, unusual rate, suspicious source distribution — it builds a fingerprint of what the attack looks like and compiles a filtering rule specific to that fingerprint. That rule starts dropping matching packets automatically. And once the attack stops, the rule expires and deletes itself. The system writes its own temporary code, runs it, and cleans up after itself, without anyone pressing a button.6
The reason this can happen at all is the same reason Cloudflare's configuration file outage was so impactful: every one of Cloudflare's servers runs this logic independently, not as a centralized system waiting for instructions from headquarters. Each server detects threats locally, shares what it's seeing with nearby servers, and acts on what it observes, which means the defense scales automatically to wherever the attack is heaviest, and there's no single location you could disable to turn it off.
This is the architectural tradeoff that gives Cloudflare both its power and its fragility. A distributed system with no central point of failure is very hard to take down deliberately. It is also very sensitive to a bad configuration file, because that file propagates everywhere, across every server, before anyone realizes something is wrong.
What the November outage actually tells you
The 2025 outages are worth recognizing, because they illustrate something that doesn't come up often enough in conversations about internet infrastructure.
The internet's resilience is real. Redundancy, failover systems, distributed architecture... these things work, and they protect against most of what goes wrong. But the same architecture that makes Cloudflare resistant to external attacks makes it extremely efficient at propagating its own mistakes. A bad configuration that touches every server simultaneously is, in some ways, a harder problem than a DDoS attack, because a DDoS comes from outside and can be fingerprinted and blocked. A bad configuration is inside the system already, doing exactly what it was told.
The November outage was caused by a configuration file that was too large. Not a malicious hack; just a file that was bigger than the proxy servers were built to handle, deployed across a global network before anyone caught it, taking down services used by hundreds of millions of people for six hours.
That's the honest picture of what it means for one company to sit between the internet and 20 percent of its traffic. The protection is real, the scale is wildy impressive, and the consequences of getting something wrong are proportional to exactly how much of the world runs through your network.
Why this matters beyond the technical details
There's a version of this post that just recites impressive numbers about attack sizes and makes Cloudflare sound invincible. That version would be missing the point.
The more interesting thing is what Cloudflare's existence tells us about how the internet has evolved. The original vision of the internet was decentralized: no single point of failure, no central authority, traffic routed freely around damage. What's actually emerged, over decades of organic growth and practical tradeoffs, is something more complicated: a network that is still technically decentralized at the infrastructure level, but runs increasingly through a small number of companies whose architecture, configuration decisions, and uptime directly determine whether most of the internet is working on any given day.
Cloudflare didn't plan to become a load-bearing wall for 20 percent of global internet traffic. It became one because it was genuinely good at what it did, and because the economics of internet infrastructure reward centralization. One company doing security well at scale is cheaper for everyone than every website doing it separately.
The tradeoff is that one company's bad day is now, occasionally, everyone's bad day. That's not a reason to be alarmed. It's just a reason to understand what's actually holding the internet up.
Footnotes
1 On the November 2025 Cloudflare outage caused by an oversized bot management configuration file, which impacted ChatGPT, Spotify, and other major services for nearly six hours. DemandSage: Cloudflare Statistics 2026
2 On Cloudflare's global network footprint, traffic share, and DNS market position. SQ Magazine: Cloudflare Statistics 2026
3 On how DDoS attacks work and the role of botnets in amplifying attack volume. Cloudflare Docs: How DDoS Protection Works
4 On the May 2025 record-breaking 7.3 Tbps DDoS attack and Cloudflare's network capacity context. Cloudflare Blog: Defending the Internet
5 On Cloudflare's daily threat mitigation volume. IP With Ease: Cloudflare DDoS Protection
6 On Cloudflare's autonomous fingerprinting and self-expiring mitigation rules. Cloudflare Blog: Defending the Internet
Top comments (0)