5/1/2026 at 7:14:41 PM
by RattlesnakeJake
5/1/2026 at 8:57:08 PM
Dupe. More comments here: https://news.ycombinator.com/item?id=47972213by sdoering
5/1/2026 at 11:15:23 PM
Is this somehow preventing server updates? e.g. to keep the recent vulnerability unpatched for longer?I'm not sure if that makes sense, I think the apt mirrors are all over the place, hosted by universities etc.
by andai
5/1/2026 at 11:35:25 PM
If you have a mirror configured, you likely won’t be prevented from downloading upgrades.Some Ubuntu repository urls may live in the affected Canonical infrastructure and those would be affected, but you can switch your apt sources list file to, for example, a country mirror and you’ll be mostly ok.
by loloquwowndueo
5/2/2026 at 11:00:33 AM
How do the mirrors get upgraded?by chopin
5/2/2026 at 12:27:37 AM
Won't the mirrors themselves be unable to get updates from Canonical, though? Or do they distribute them some other way?by jcgrillo
5/1/2026 at 7:19:35 PM
It seems Ubuntu infra is hosted at cloud provider? All have the mechanisms to protect from these types of attacks. Is this an architecure design failure?by tcp_handshaker
5/1/2026 at 8:41:14 PM
Which cloud provider? Unless things have changed, Canonical runs their own servers by leasing racks in data centres. Since one of their main offerings is managed Openstack, they favor running things on their in-house openstack deployment instead of using a public cloud (AWS etc).by loloquwowndueo
5/1/2026 at 7:37:02 PM
If the DDoS is from residential proxies and high volume it becomes a real problem to shut down.by esseph
5/2/2026 at 2:11:52 PM
It can't be shutdown if the means are there, if the means are superior from the attacker than the target, then it can remain permanently offline. Talking from experience.by pixel_popping
5/2/2026 at 6:41:16 PM
I have personally been involved with law enforcement in foreign countries that have raided houses with shotguns and flash bangs against Command and Control (C2) infra.BGP FlowSpec helps a lot to prevent shunting the target IP/route completely, it's not as bad as the old days.
by esseph
5/1/2026 at 8:12:36 PM
When asked for ransom terms, the attackers said, “no more systemd”by tonymet
5/1/2026 at 10:02:39 PM
Systemd is fine. Maybe you mean “no more snaps”.by throw1234567891
5/1/2026 at 11:16:30 PM
I didn’t even know Ubuntu had snaps. Hadn’t used it in 10 years.by tonymet
5/2/2026 at 2:25:59 AM
Can’t even install Firefox without them…by BobbyTables2
5/1/2026 at 10:03:29 PM
I'm scratching my head on this one too. What is there to even gain? Kids these daysby 2ndorderthought
5/2/2026 at 2:29:29 PM
I thought hating systemd was for geriatricsby tonymet
5/1/2026 at 9:03:22 PM
Maybe they’re trying to block access to this URL: https://ubuntu.com/security/CVE-2026-31431To address that, here is how to disable that local root access in Ubuntu 24.04:
by strenholme
5/1/2026 at 9:06:34 PM
Well at least for now that page loads for meby 306bobby
5/1/2026 at 11:02:12 PM
the blog post linked from there with remediation instructions, however, does not.1. https://ubuntu.com/blog/copy-fail-vulnerability-fixes-availa...
by ghostly_s
5/2/2026 at 12:08:41 AM
It's an Iranian state based actor.They're targeting the most popular Linux distro, likely to prevent access to patches for the CopyFail attack so they can use it to do even more damage.
(CopyFail allows any unprivileged user to be elevated to root very easily)
by aussieguy1234
5/2/2026 at 2:09:40 AM
Worth calling out that CopyFail can be trivially patched. I did so on my personal devices + remote servers. The attack vector is apparently only typically utilized for exploits anyways, it supposedly has little practical/legitimate use.This article has instructions on how to self-patch: https://www.bleepingcomputer.com/news/security/new-linux-cop...
by recursivegirth
5/2/2026 at 9:43:03 AM
Why would they attack Ubuntu? I would understand if the attack target would be Anthropic, OpenAI and other US fascists. Why Ubuntu?by anotherviewhere
5/2/2026 at 3:34:54 PM
My first thought is that it's a default base image for a lot of containers, which also include an `apt update` in the Dockerfile. If Iran wants to cripple US industry, then taking down the update servers could screw up a lot of deployment processesby RattlesnakeJake
5/1/2026 at 7:47:02 PM
dupe https://news.ycombinator.com/item?id=47975729by _DeadFred_
5/1/2026 at 7:38:56 PM
cross-border attack? The internet doesn't have borders. The title of the article has nothing to do with the title submitted here.edit: I should probably add more context as some commenters didn't understand. The DDOS attack is likely coming from compromised IoT devices. Most, if not all, of the big ones in the last few years(decades?) were that. Unless all the devices are located within a specific country and non are within the US then I think it is silly to use that term to imply that this is some sort of war from across the border. The reporting is fine for what they know so far, the submitted title is not.
by scorpioxy
5/1/2026 at 8:02:50 PM
> The internet doesn't have borders.The overwhelming majority of internet connected devices have an internet connection that's physically connected, for 99.9??% of the distance, with wires or fiber cables, to every other user in the world, with a very nearby wireless hop at the ends. If the cables weren't so fragile, you could pull on your wifi AP and they would see their wifi AP (or maybe nearby cell tower) move.
The tiny fraction of the rest is passed by shining RF transmitters to some distant receiver, separated by some physical distance, to some base station sitting on the ground within a border.
by nomel
5/2/2026 at 8:28:44 AM
I would hazard the majority of devices are connected via cellular today.by hdgvhicv
5/1/2026 at 7:59:32 PM
the real world (the place where ubuntu servers are hosted) does have borders, singing kumbaya won’t stop terrorists from attacking western infrastructurealso, “cross-border attack” is a direct quotation from canonical by ars technica, take it up with them
by dirasieb