Canonical is under attack
23 points by labria
23 points by labria
Also: https://arstechnica.com/security/2026/05/ubuntu-infrastructure-has-been-down-for-more-than-a-day/
The people who are under attack can't tell you about the attack because of the attack. Try this instead:
https://arstechnica.com/security/2026/05/ubuntu-infrastructure-has-been-down-for-more-than-a-day/
Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it.
Since when does anyone on the Internet talk about borders? That seems like a non sequitur.
I assume because of this sentence in the next paragraph:
A group sympathetic to the Iranian government has taken credit for the outage.
And I also assume Canonical does not operate any infrastructure in Iran.
Can someone explain why an Iranian sympathetic group would go after Canonical? It doesn't seem to me like a target worth the effort involved. I mean - major bank might conceivably do some damage economically, or perhaps Microsoft's services (because everyone uses MS), or perhaps target AWS (because a lot of infra, including govt stuff runs on AWS). But Canonical?
It's become clear to mean in recent years that an awful lot of people choose targets for their actions by criteria other than 'what will get me what I want'.
Canonical is (or certainly has been) a US military contractor. They have a whole team/department dedicated to making Ubuntu usable by the federal government.
Canonical is a UK company when last I heard.
US Govt uses RHEL for their Linux needs (though usually CentOS in reality).
That is, if they cant make the problem workable on Windows. Government fucking loves Windows Server.
Do we know for a fact that it's a pro-Iranian group? This article just throws the claim without any backing.
How many people would you affect if you were able to slip something into an ubuntu docker image, or how many targets can you get from snatching the list of companies paying ubuntu-pro to keep 18.04 instances online?
I've not had the time or inclination to figure out whether the telegram channel that claimed this was ever legitimately the mouthpiece of an Iraqi hacktivist group called 313 Team, but what seems pretty evident if you dig into the channel at all is that they claim to be this group attacking a disparate bunch of web platforms pretty uniformly advertising the same DDoS-as-a-Service platform.
Of course the platform itself claims to not be for any illegal use, so the narrative bears out that they get to claim ignorance of what their customers were doing whilst simultaneously having another deniable (perhaps even separate, but clearly related) persona doing your advertisement to other potential customers.
That's about the minimum plausible deniability I can see that you'd need to allow Cloudflare to prevaricate indefinitely on any takedown request for the actual stresser and control panel domains.
This is, obviously, an illustrative conclusion drawn from inferences and likely narratives. What's clear to me is that any threat intel sources or reporting I've seen so far on this group (and I stopped digging pretty quickly given the uncritical repetition that you become accustomed to) is that the intel is either out of date or simply just uncritically believes whatever the Telegram group is saying about their MO (based on the fact that they are clearly and observably DDoSing).
The point is, not only is "attribution hard" but that it would be a lot easier if everyone stopped assuming the cybersecurity industry actually did its homework.
that it's an "Iranian sympathetic" group does not mean it is state-sponsored, or imply any sort of competence or long term planning
on the contrary, what they usually consider targets are very low hanging fruit or DDOS attacks with no real goal other than disruption or promotion
I'm a little surprised canonical doesn't have the infra to tank an attack like this. At this point I wonder if they'll go with cloudflare now or if they want to remain independent.
DDos attack are pretty hard to deal with not sure what smaller players do. Awful behavior from a shitty group.
There are so many options other than CloudFlare. Please let's not make them the default. Two random alternatives: fastly and bunnycdn.
I'm a little surprised canonical doesn't have the infra to tank an attack like this.
These days it's relatively trivial to get TBps traffic for cheap. If you're a target, you're not going to handle it without a third-party able to sink that traffic in multiple geographic locations.
Good mention with fastly! I've kept them in the back pocket in case I needed a ddos solution. I personally I like their engineers quite a bit.
It sucks that it's gotten so bad. I can't help but think this must be the repercussions of bad router and low quality IOT gear flooding the market over the past half decade.