Tinfoil hat mode: a competitor wants to exploit copy.fail on some ubuntu servers, and is DDoSing canonical so that they can't update and thus patch the vuln
This seems to be pretty targeted, and with the services affected like livepatch and such this could indeed be an actor DDoSing to avoid patches rolling out for copy.fail
While the timing with the copy.fail patches mentioned by a few comments here seems suspicious indeed, I have seen this repeating over the last few weeks: packages.ubuntu.com was hardly reachable on some days, causing apt-get to take forever to update the system. They have been struggling hard recently, it seems.
Best of luck to the people having to deal with this mess on a holiday!
The point of coincidental timing with copy.fail patches is that by DDoSing an upgrade mechanism for one of most popular distributions, you extend the time window certain systems remain vulnerable in order to exploit them.
Though this outage may be more related to the copy.fail upgrade cycle, it reminds me of a thought I've had recently in respect of agents.
In the UK they have this issue called "TV pickup" (https://en.wikipedia.org/wiki/TV_pickup). TV pickup is where everyone in the UK watching a popular TV show gets up to boil a high-powered tea kettle at the same time on an ad break. This causes a temporary surge in electricity demand and leads to real outages. It was a mystery at first but now is accounted for.
I suspect the global internet is facing an "agent pickup" problem where significant changes (e.g., releases of new frontier models or new package versions) puts unpredictable pressure on arbitrary infrastructure as millions of distributed agents act to address the change simultaneously.
Maybe they could use this DDoS attack as their 17th round technical interview. Any candidate who successfully mitigates the attack would then make it to the 18th round. Win win!
Is their interview process Dungeon Crawler Carl? Do you just apply to work at Canonical, and at the 3rd interview you get to pick what position you're applying for?
It's almost certainly related to preventing the roll out of copy.fail fixes. Someone held the capability in reserve until they had a good reason to use it.
Could this DDoS be affecting some components of https://ppa.launchpadcontent.net? I know they're supposed to be down and up again, but I still get errors when I update Ubuntu :(
Anyone from Canonical shared any pcaps of the attack yet? Or perhaps a summary of packet types, sizes, payloads, TCP/IP header characteristics? State table statistics?
22 comments
[ 2.8 ms ] story [ 42.1 ms ] threadIn the UK they have this issue called "TV pickup" (https://en.wikipedia.org/wiki/TV_pickup). TV pickup is where everyone in the UK watching a popular TV show gets up to boil a high-powered tea kettle at the same time on an ad break. This causes a temporary surge in electricity demand and leads to real outages. It was a mystery at first but now is accounted for.
I suspect the global internet is facing an "agent pickup" problem where significant changes (e.g., releases of new frontier models or new package versions) puts unpredictable pressure on arbitrary infrastructure as millions of distributed agents act to address the change simultaneously.
Pro-Iran crew turns DDoS into shakedown as Ubuntu.com stays down - https://news.ycombinator.com/item?id=47975729 - May 2026 (59 comments)