CONCEPT Cited by 1 source
Traffic anomaly¶
A traffic anomaly is a machine-detected deviation of an observation's current volume or shape from the baseline expected for that observation. In the Internet-disruption context, "the observation" is typically per-country / per-AS / per-region HTTP + DNS traffic as seen by a reverse proxy's edge, and "the baseline" is the prior-week or prior-day recurring pattern at the same time-of-day.
Unlike a confirmed outage — which is anchored to a known cause (political shutdown, cable cut, grid collapse) — a traffic anomaly is cause-unknown until attribution arrives. The anomaly feed therefore contains many events that never get causally attributed or never turn into confirmed outages.
Where the term is used at Cloudflare Radar scale¶
The Cloudflare Radar Outage Center splits its surface into two tiers:
- Confirmed outages — events with attributed cause, affected country / region / AS, start + end timestamps, and links to operator / regulator communications.
- Traffic anomalies feed — machine-detected deviations at radar.cloudflare.com/outage-center#traffic-anomalies that may or may not correspond to real disruptions. Many are quickly explained (regional holidays, big-event livestream saturation, ISP internal re-peering); some are true outages not yet attributed; some are false positives.
Cloudflare's quarterly review is explicit about the relationship: "This post is intended as a summary overview of observed and confirmed disruptions and is not an exhaustive or complete list of issues that have occurred during the quarter. A larger list of detected traffic anomalies is available in the Cloudflare Radar Outage Center."
What separates a traffic anomaly from an outage¶
The observational signal is similar — traffic drops below the baseline band — but the semantics differ:
| Property | Traffic anomaly | Confirmed outage |
|---|---|---|
| Attribution | Unknown | Known (operator, regulator, event) |
| Publication | Auto-feed, unfiltered | Blog post + Outage Center entry |
| Editorial curation | None | Cloudflare Radar team |
| Suitable for citation | Limited (no context) | Yes (linkable, attributable) |
| Volume per week | High (dozens–hundreds) | Low (handful) |
Traffic anomalies are the raw signal; confirmed outages are the curated layer on top that attributes them to a narrative cause.
Why publishing unattributed anomalies is valuable¶
Shipping raw anomalies — even when they might be false positives — has several effects:
- Crowdsourced attribution — external researchers, journalists, and operators can often attribute anomalies faster than the observatory team, especially when the cause is local (a single ISP's internal maintenance, a specific government action reported in local media).
- Faster response — some outages correspond to active incidents where affected parties need to confirm the scope immediately; shipping the anomaly as soon as it's detected beats waiting for curation.
- Corpus / trend analysis — anomaly feeds can be aggregated across quarters to compute baselines-of-baselines (e.g., "is the rate of unattributed anomalies in country X rising?"), providing second-order signals.
Thresholds and false positive rate¶
The observability team has to tune:
- Deviation magnitude — small traffic dips happen constantly; raising the threshold reduces false-positive volume but misses smaller real events.
- Time-of-day baseline fidelity — weekends, holidays, and sporting events produce legitimate deviations; good baselines are calendar-aware.
- Geographic granularity — country-level anomalies are statistically robust; per-AS or per-city anomalies can be noisy but are higher-value for attribution.
Seen in¶
- sources/2026-04-28-cloudflare-q1-2026-internet-disruption-summary — canonical wiki instance; the quarterly review positions the Outage Center traffic-anomaly feed as the superset from which the confirmed-outage narrative is curated. The Q1 2026 review lists ~18 confirmed disruptions (Uganda, Iran ×2, Republic of Congo ×2, Cuba ×3, Paraguay, Dominican Republic, Ukraine ×3, AWS me-central-1 + me-south-1, Buenos Aires, Portugal, U.S. Virgin Islands, WACS-cable Congo, Verizon, Flow Grenada, Orange Guinée, TalkTalk) — a small fraction of the anomaly volume that actually flowed through the Radar pipeline over the same quarter.