Multiple servers operated by Ubuntu and its parent company Canonical have been attacked and taken offline since Thursday morning local time. The interruption has continued for more than 24 hours so far, seriously affecting the mainstream Linux distribution's normal communication with users after the disclosure of a major security vulnerability.

In the past 24 hours, most Ubuntu and Canonical websites have been almost inaccessible, and users have repeatedly failed to obtain system updates from the official servers. However, update services from mirror sites around the world are still normal. Other than Canonical saying in a status announcement that its "network infrastructure is experiencing ongoing cross-border attacks that we are working to address," Ubuntu and Canonical officials have remained largely silent throughout the outage.

A hacker group claiming to be sympathetic to the Iranian government has "claimed" the attack on social media, saying it launched a distributed denial-of-service (DDoS) attack through a platform called Beam. Beam claims to be a "stress testing" service used to test the server's ability to withstand pressure under high load, but like other so-called "stressors" or "boosters", it is essentially a tool for criminals to pay to paralyze third-party websites. In recent days, this pro-Iran group has also claimed to have launched similar DDoS attacks on the e-commerce platform eBay.

According to a moderator on the Q&A community AskUbuntu.com, domains and services that are currently inaccessible or severely affected include: security.ubuntu.com, jaas.ai, archive.ubuntu.com, canonical.com, maas.io, blog.ubuntu.com, developer.ubuntu.com, Ubuntu Security API (covers CVE and Security Notices), academy.canonical.com, ubuntu.com, portal.canonical.com, and assets.ubuntu.com. These services include Ubuntu's security updates, package repositories, and image indexes, as well as Canonical's multiple business lines for developers, enterprise customers, and learning platforms.

This large-scale infrastructure outage coincided with the disclosure by security researchers of a piece of exploit code with powerful attack capabilities, which can allow untrusted ordinary users to obtain the highest-privilege root control on almost all mainstream Linux distribution servers (including Ubuntu) in multi-tenant environments such as data centers and university networks. This overlap in time has made Ubuntu significantly constrained in releasing security guidelines, risk mitigation plans, and patch instructions to affected users. The dissemination of relevant security information is forced to rely on third-party mirror sites and community channels to a large extent. Nevertheless, update packages currently distributed through mirror sources in various places are still available, providing an alternative path for users to obtain critical fixes in the short term.

So-called pressure machines or "zombie traffic rental" platforms have existed for decades, and the commercial operation model of DDoS-as-a-service has long been on the hit list of law enforcement agencies in various countries. Although police from many countries have taken joint law enforcement actions many times to seize websites and arrest operators, this underground industry that relies on renting botnets and attacking traffic has never been eradicated, and new platforms and brands continue to reappear in new shells. This attack on Ubuntu and Canonical shows that mature commercial security teams and infrastructure operators may still be caught off guard by such high-traffic attacks in a short period of time.

It's unclear why Ubuntu and Canonical's infrastructure took so long to become fully accessible to the outside world. The industry generally believes that there are a large number of mature DDoS protection services on the market, at least one of which provides basic protection capabilities for free. Therefore, this long interruption has raised many questions about Canonical's preparedness in terms of emergency plans, traffic cleaning, and architectural redundancy. However, as of press time, Canonical has not further disclosed the specific details of the attack, its protection strategies, and a timetable for full restoration of services.

While the aftermath of this incident has not subsided, the security community is still digesting the ripple effects of "one of the most serious Linux threats in years," and the Ubuntu infrastructure crisis has sounded the alarm for how the entire open source ecosystem remains resilient between high-pressure attacks and emergency security responses.