Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
Internet concentration risk

Internet concentration risk

Built World

How a Handful of Companies Became Single Points of Failure for the Global Web

February 16th, 2026: Cloudflare Routing Error Triggers Cascading Internet Outage

Overview

On February 16, 2026, a single misconfigured routing update at Cloudflare's Ashburn, Virginia data center cascaded across the internet, taking down X for three hours, degrading Amazon Web Services' largest region, and disrupting thousands of websites globally. The error took 40 minutes to identify but four hours to fully resolve because corrupted routing tables had already spread to upstream providers worldwide.

The outage exposed a structural vulnerability that has been building for two decades: a small number of companies now control the pipes through which most internet traffic flows. Cloudflare handles roughly 20% of global web requests. AWS commands 31% of cloud infrastructure. When these giants fail, the effects are not localized—they are systemic. The Cybersecurity and Infrastructure Security Agency is now reviewing the incident, and policymakers on both sides of the Atlantic are debating whether these providers should be regulated as critical infrastructure.

Play on this story Voices Debate Who Said What? Predict

Key Indicators

20%
Global Web Traffic via Cloudflare
Cloudflare processes roughly one-fifth of all internet requests worldwide
31%
AWS Cloud Market Share
Amazon Web Services leads cloud infrastructure, with US-East-1 as its largest and oldest region
43,000
Peak User Reports During X Outage
Downdetector reports during the February 16, 2026 incident
~4 hours
Outage Duration
Time required to coordinate with upstream providers and flush corrupted routing caches

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play
Timeline Five events from this story — drag them oldest to newest. Log in to play
Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Matthew Prince
Matthew Prince
Leading post-incident response and policy discussions
 Jennifer Rexford
Jennifer Rexford
Expert commentator on internet architecture
 Mark Warner
Mark Warner
Calling for regulatory review of cloud concentration

Organizations Involved

Cloudflare, Inc.
Cloudflare, Inc.
Internet Infrastructure Company
Origin point of February 2026 cascading outage

Content delivery network and web security company that processes approximately 20% of all global internet traffic.
Amazon Web Services (AWS)
Amazon Web Services (AWS)
Cloud Infrastructure Provider
US-East-1 region affected by February 2026 cascade

The world's largest cloud computing provider, commanding approximately 31% of global cloud infrastructure market share.
X (formerly Twitter)
X (formerly Twitter)
Social media and technology company
Experienced three-hour outage during February 2026 incident

Social media platform with hundreds of millions of users, owned by Elon Musk since 2022.
Cybersecurity and Infrastructure Security Agency (CISA)
Cybersecurity and Infrastructure Security Agency (CISA)
Federal Agency
Reviewing February 2026 incident as critical infrastructure matter

United States federal agency responsible for cybersecurity and critical infrastructure protection.

Timeline

February 2008 February 2026

8 events Latest: February 16th, 2026 · 3 months ago
Tap a bar to jump to that date

  1. Cloudflare Routing Error Triggers Cascading Internet Outage

    Latest Cascading Failure

    A routine configuration update at Cloudflare's Ashburn data center introduced a BGP routing error that cascaded to upstream providers. X went down for three hours, AWS US-East-1 experienced degradation, and thousands of websites globally were affected. Recovery required coordinating with over a dozen upstream providers to flush corrupted routing caches.

  2. Cloudflare Bot Management Bug Causes Global Outage

    Infrastructure Failure

    A database permissions change caused Cloudflare's Bot Management system to generate an oversized feature file, exceeding the core proxy's hard-coded limit. X, ChatGPT, Spotify, and thousands of sites went offline for over two hours.

  3. AWS US-East-1 Suffers 14-Hour Outage

    Infrastructure Failure

    DynamoDB API DNS resolution issues cascaded to affect 140 AWS services and global features dependent on US-East-1 endpoints. The outage lasted over 14 hours and affected Slack, Atlassian, Snapchat, and numerous other services.

  4. Traffic Surge Through Cloudflare Disrupts AWS Connectivity

    Cascading Failure

    Insufficient congestion management during an unusual traffic surge from a single customer caused connectivity issues for AWS services accessed through Cloudflare.

  5. Facebook Disappears from Internet for Six Hours

    Infrastructure Failure

    A maintenance command inadvertently disconnected Facebook's backbone network, withdrawing all BGP routes and making Facebook, Instagram, WhatsApp, and Messenger completely unreachable globally for six hours.

  6. Fastly CDN Outage Takes Down Major Websites

    Infrastructure Failure

    A customer configuration change triggered a dormant bug in Fastly's edge network, causing 85% of their infrastructure to fail. Reddit, Amazon, the New York Times, and UK government sites went offline for about an hour.

  7. Mistyped Command Causes Major AWS S3 Outage

    Infrastructure Failure

    A debugging command with a typo took down Amazon S3 in US-East-1, causing widespread internet disruption and hundreds of millions of dollars in losses. The incident remains one of the most cited examples of cloud concentration risk.

  8. Pakistan Accidentally Takes Down YouTube Globally

    Historical Incident

    Pakistan Telecom's attempt to block YouTube domestically propagated via BGP to global networks, taking down YouTube worldwide for about two hours. The incident demonstrated how BGP trust assumptions could allow local routing changes to cascade globally.

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

February 2008

Pakistan YouTube Hijacking (2008)

Pakistan Telecom attempted to block YouTube domestically by advertising false BGP routes. Its upstream provider PCCW Global propagated these routes globally, causing YouTube traffic worldwide to be misdirected to Pakistan. YouTube was unreachable for approximately two hours until the erroneous routes were withdrawn.

Then

YouTube traffic gradually recovered over two hours as correct routes propagated. The incident prompted calls for BGP security improvements.

Now

The incident became a foundational case study for internet routing vulnerabilities. It accelerated work on Resource Public Key Infrastructure (RPKI), though adoption has remained incomplete nearly two decades later.

Why this matters now

The 2008 incident demonstrated that BGP's trust-based architecture makes the entire internet vulnerable to local misconfigurations. The February 2026 Cloudflare outage shows this fundamental vulnerability persists, now amplified by traffic concentration through a handful of major providers.

June 2021

Fastly CDN Outage (2021)

A customer pushed a valid configuration change that triggered a dormant bug in Fastly's edge network, causing 85% of their infrastructure to return errors. The New York Times, Reddit, Amazon, the UK government portal, and numerous other major sites went offline simultaneously for approximately one hour.

Then

Fastly engineers identified and disabled the problematic configuration within 50 minutes. Services recovered rapidly once the fix propagated.

Now

The incident intensified scrutiny of CDN concentration and prompted some enterprises to implement multi-CDN strategies, though the additional complexity and cost limited widespread adoption.

Why this matters now

Like the February 2026 Cloudflare incident, a single configuration change brought down a significant portion of the internet. Both cases illustrate how the efficiency gains of centralized infrastructure create systemic fragility.

October 2021

Facebook BGP Withdrawal (2021)

During routine maintenance, a command intended to assess Facebook's backbone capacity accidentally disconnected all backbone routers. A bug in an audit tool failed to stop the command. Facebook's BGP routes were withdrawn, making Facebook, Instagram, WhatsApp, and Messenger completely unreachable for six hours worldwide.

Then

Recovery required physical access to data centers because remote management tools were also offline. The company's badge systems failed, reportedly delaying technician access.

Now

Facebook implemented additional safeguards against backbone-level failures and improved audit tool reliability. The incident demonstrated how dependent billions of users had become on a single company's infrastructure.

Why this matters now

The Facebook outage showed how a single company's internal error could affect billions of users simultaneously. The February 2026 Cloudflare incident extends this pattern: now infrastructure companies that other services depend on can cascade failures even to services that don't directly use their products.

Sources

(10)
+4
WebProNews Tom's Guide Tom's Hardware Cloudflare Blog Engineering at Meta Fastly Blog ThousandEyes DemandSage Kentik Blog Holori