A 3.5 Tbps DDoS hit Canonical for ~20 hours on 30 April 2026, ending only after Canonical moved security.ubuntu.com and archive.ubuntu.com behind Cloudflare, while the attacker’s booter service (Beamed) remained live on Cloudflare infrastructure throughout.
Key Takeaways
The attack downed ubuntu.com, canonical.com, and Ubuntu’s CVE/security-notice APIs within 10 minutes; repository endpoints security.ubuntu.com and archive.ubuntu.com were held in reserve and activated ~3 hours later.
Canonical’s response was surgical: only the two apt repository A records were moved to Cloudflare AS13335; all other properties stayed on Canonical’s own AS41231 space.
Beamed, the commercial stresser rented for the attack, advertises explicit Cloudflare-bypass techniques and is itself hosted on Cloudflare AS13335, still live after the incident.
On 27 February 2026, the same day AS39287 (Beamed’s routing AS) was reassigned to Romanian entity Materialism s.r.l., Let’s Encrypt issued new apex certificates for archive.ubuntu.com and security.ubuntu.com – a precondition for CDN onboarding. The synchrony is unresolved.
The AS39287 ownership chain passes through Pirate Bay founders Peter Sunde (Flattr/Njalla) and Peter Kolmisoppi (brokep), and the registrar Immateriali.sm is an accredited registrar for 1337 Services LLC (Njalla’s trading entity).
Hacker News Comment Review
Core dispute: commenters pushed back hard on the article conflating Cloudflare hosting Beamed’s marketing site with Cloudflare infrastructure being used to generate attack traffic – no evidence the actual DDoS packets came from Cloudflare.
On Cloudflare’s moderation posture, opinion split between those defending a neutral-carrier stance (takedowns require lawful orders, proactive policing is dangerous precedent) and those arguing Cloudflare’s abuse reporting has near-zero efficacy in practice for phishing and booter sites.
The structural conflict-of-interest claim – Cloudflare profits from both attack enablement (free tier) and victim relief (paid DDoS mitigation) – drew significant discussion without resolution; no evidence of explicit collusion was presented or surfaced in comments.
Notable Comments
@PcChip: Raised the hypothesis that ubuntu.com was targeted to prevent servers from patching a separate exploit, using the outage as a vulnerability window.
@dsl: Argued the internet historically self-regulated through peer pressure between operators, and courts are too slow; framed Cloudflare’s neutral-carrier stance as a structural regression from that norm.
