PATTERN Cited by 1 source

Gossip fingerprint propagation

Gossip fingerprint propagation is the pattern of sharing detection state (threat fingerprints, match rules, ban lists, observed patterns) across peers of a distributed fleet via gossip or multicast, so each node benefits from every other node's observations without a central control-plane service mediating the sharing.

The canonical wiki instance is Cloudflare's DDoS fingerprinting system: each server's dosd derives top fingerprints from its local packet samples (coming off XDP/eBPF), and "each server gossips (multicasts) the top fingerprint permutations within a data center, and globally. This sharing of real-time threat intelligence helps improve the mitigation efficacy within a data center and globally."

Shape

• Local detection — each node independently observes traffic, derives fingerprints / rules (typically via a streaming or heuristic pipeline).
• Top-N selection — a node broadcasts only its top candidates, not its full sample stream (bandwidth limit).
• Gossip/multicast — sent peer-to-peer (gossip) or via a group address (IP multicast / pubsub topic) rather than through a central coordinator.
• Local ingestion — receiving nodes merge the shared fingerprints into their local rule set, subject to their own thresholds and local-policy guards.
• Auto-expiry — fingerprints time out on each node if hit rate decays (no global delete needed).

Why peer gossip

The obvious alternative is a central-control-plane push: every node reports detections to a central service that aggregates and pushes rules back out. Gossip wins when:

• Latency matters more than consistency — gossip converges in O(log N) rounds; a central service adds a round-trip to a single point and the consistency win is often irrelevant when the downstream rule is heuristic / expirable anyway.
• Central service would be a DDoS target — a central threat- intelligence service is the obvious thing for an attacker to disable before the real attack. Peer gossip has no single target to take down.
• Fleet size makes central scaling expensive — Cloudflare operates in 477+ data centres with many servers per site; central rule distribution at that scale is non-trivial, while gossip piggybacks on existing POP-internal networking.
• Fleet is heterogeneous across regions — a global central plane adds cross-region latency that a within-POP gossip eliminates; different POPs can have different fingerprint mixes locally.

Central push wins when:

• Strong-consistency / compliance requires a single golden rule set and provable distribution latencies.
• Detection decisions are expensive (large models, correlation graphs) and should be centralised.

The 2025 Cloudflare writeup picks gossip because the detection is already local (dosd runs on every server) and the shared artifact (a small compiled fingerprint) is cheap to disseminate.

Within-POP vs global gossip

Cloudflare's writeup distinguishes "within a data center" and "globally". The practical reason:

• Within-POP: peers see correlated attack traffic (they are at the same anycast site); convergence is fast (low-latency local network); shared state multiplies detection accuracy on the attack wave currently landing there.
• Globally: different POPs see different slices of the attack (different subsets of the 122,145 source IPs); cross-site propagation lets each POP pre-arm against vectors other POPs have already fingerprinted — useful especially when the attack wave migrates or different source ASes converge on different POPs.

Failure modes

• Gossip storm — naïve all-to-all gossip O(N²) can collapse; real implementations use either restricted fan-out (classic epidemic gossip) or multicast (one-to-many with IGMP/PIM) depending on what the fabric allows.
• Malicious-fingerprint injection — a compromised node could gossip an overly-broad fingerprint that drops legitimate traffic across the fleet. Mitigation: per-node thresholds before applying gossiped rules, auth on the gossip channel, rate-limits on acceptance.
• Stale fingerprints — if expiry is per-node-derived, a gossiped fingerprint that's already stale elsewhere might still apply locally. Usually resolved by letting each node expire its copy based on local hit-rate.
• Convergence lag vs attack speed — a fast-migrating attacker can outrun gossip (arrive at POP C before A's fingerprint has propagated). Each POP still has its own dosd to re-derive from scratch, so convergence lag is a performance concern, not a correctness one.

Sibling patterns

• patterns/autonomous-distributed-mitigation — the parent posture; gossip is the mechanism that makes it more than N independent detectors.
• concepts/control-plane-data-plane-separation — gossip is the control-plane here, but it's a peer-distributed control plane rather than a central one; the data plane is still the per-node XDP/eBPF filter.

Seen in

• sources/2025-06-20-cloudflare-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos-attack — canonical instance: per-server systems/dosd gossips top fingerprint permutations within the data centre and globally, compiling received fingerprints into XDP/eBPF drop programs. Gossip mechanism, cadence, and convergence-latency numbers are not disclosed in the writeup.

Related

• systems/magic-transit
• systems/dosd
• systems/ebpf
• concepts/anycast
• patterns/autonomous-distributed-mitigation
• patterns/two-stage-evaluation
• companies/cloudflare