Canonical’s Ubuntu Infrastructure Got DDoS’d — Here’s What We Can Actually Learn From It

What Actually Happened to Canonical’s Infrastructure

The attack surface Canonical operates is genuinely unusual — ubuntu.com isn’t just a homepage, it’s load-bearing infrastructure for millions of automated processes running 24/7. Every apt update, every CI runner pulling fresh package indexes, every snap daemon phoning home on a timer, every PPA pipeline in Launchpad — they all converge on the same DNS space. That’s what makes this a high-value DDoS target compared to, say, taking down a SaaS landing page. The blast radius of disruption-per-request is enormous.

The attack progression followed a recognizable saturation pattern. The first services to go dark were the CDN-fronted package mirrors — archive.ubuntu.com and security.ubuntu.com — which made sense because volumetric floods will always exhaust bandwidth-dependent endpoints first. Launchpad followed within the same window, with the API endpoints and web frontend both becoming unreachable rather than degraded. The snap store backend — snapcraft.io and the assertion servers — went intermittent rather than fully offline, which is consistent with a partially absorbed attack hitting origin servers when CDN capacity fills up. The whole sequence compressed into roughly a few hours of hard-down time with an extended tail of instability that dragged through the rest of the day.

Here’s how most people actually experienced it. If you were on a fresh Ubuntu 22.04 or 24.04 machine and ran:

# This just hung — no error, no timeout for 2+ minutes
sudo apt update

# Or gave you:
Err:1 http://archive.ubuntu.com/ubuntu jammy InRelease
  Connection timed out [IP: 91.189.91.82 80]

# snap was worse — silent failure, no obvious indication
snap refresh
# ... nothing. Then eventually:
error: cannot refresh "firefox": Post "https://api.snapcraft.io/v2/snaps/refresh": dial tcp: i/o timeout

Launchpad users mid-workflow got hit harder. If you had a merge proposal open and were waiting on CI to report back, the Launchpad webhook receiver was dropping connections. Build records stopped updating. The web UI returned 502s or just stalled at the loading spinner. The particularly painful scenario was Ubuntu’s own infrastructure: Canonical’s internal CI pipelines that trigger off Launchpad push events were also affected, which meant the people best positioned to respond were working with degraded tooling.

Canonical’s public communication confirmed service degradation across their core infrastructure properties and acknowledged the attack vector was external. What they haven’t detailed publicly — and what the outage pattern strongly implies — is that the attack specifically targeted the endpoints that serve the highest request multiplier. Package index files are a perfect DDoS amplification lever: one coordinated signal can cause millions of apt daemons worldwide to simultaneously retry failed connections on their next cron tick, which compounds the recovery problem. You don’t just need to survive the attack; you need to absorb the retry storm that follows. The extended instability tail after the initial flood subsided is consistent with exactly that scenario — origin servers getting hammered by legitimate clients that finally got through to DNS but couldn’t complete requests fast enough to drain the retry queue.

The Launchpad angle is worth singling out specifically. It’s not just a code hosting platform — it’s the bug tracker, the translation platform, the PPA build system, and the upstream coordination point for a dozen major open-source projects. Thousands of teams have their automated release pipelines threaded through Launchpad’s API. An hour of Launchpad downtime doesn’t just mean developers can’t see their PRs; it means builds don’t trigger, packages don’t publish, and downstream mirrors don’t get updated. The dependency chain from “Launchpad is down” to “my internal apt repo is stale” is shorter than most infrastructure teams realize until it breaks.

Why DDoS Attacks Hit Open Source Infrastructure Harder

The thing that genuinely surprised me when the Canonical incident got dissected publicly was how much of the damage came from legitimate-looking traffic. Mirror operators across Ubuntu’s global network — we’re talking hundreds of university servers, corporate proxies, ISP caches — all run cron jobs that poll for package updates on predictable schedules. Some run apt-get update every 15 minutes. Some sync entire mirror trees overnight. When you layer a botnet on top of that existing noise, your traffic analysis tools are starting from a baseline that’s already chaotic. The signal-to-noise ratio is brutal before a single malicious packet arrives.

The mirror amplification problem is structural. A single upstream attack packet doesn’t just hit archive.ubuntu.com — it eventually ripples out to hundreds of downstream mirrors that then re-request the same metadata or package diff to verify consistency. This is the opposite of how a SaaS company deals with load: if Stripe gets hammered, they can prioritize traffic by API key tier, drop anonymous requests, or throttle by account age. Ubuntu’s infrastructure has none of those levers. The entire value proposition is that it’s free and unauthenticated. You can’t suddenly demand OAuth tokens for apt update without breaking every automated server and CI pipeline on the planet.

Launchpad’s architecture makes this significantly worse because it’s doing two fundamentally different jobs on the same platform. It’s a bug tracker — so engineers are hitting it for reads, searching issues, updating statuses. It’s also a build farm that compiles packages and pushes them into PPAs. These two workloads have completely different failure modes. A DDoS that degrades Launchpad’s response times by 3x doesn’t just slow down bug triage; it stalls package builds, which means security patches sit in a queue instead of landing in proposed. One attack, two broken workflows, and the second one (delayed security patches) is actually the more dangerous outcome. The blast radius expands way beyond “the website is slow.”

Snap’s delta-update CDN is where attackers get the most use per request. Traditional .deb packages are static — you request a file, you get it. Snap’s delta system is dynamic: the CDN has to compute or serve a binary diff between the version you have and the version you need. This means each request carries state. A botnet that rotates through fake version identifiers — claiming to be on version 2.58.1, then 2.58.3, then 2.59.0 — forces the edge infrastructure to either cache a combinatorial explosion of delta files or recompute diffs on demand. Either way, CPU and memory usage per request is orders of magnitude higher than serving a flat file. The attack traffic looks realistic because it mimics exactly what millions of real Ubuntu desktop users do every day: their snapd daemon checks for updates with a local version string attached.

# What snapd actually sends in an update check (simplified)
GET /v2/snaps/firefox/file?delta-format=xdelta3&delta-from-revision=2847
Host: api.snapcraft.io
Snap-Device-Series: 16
Snap-Device-Architecture: amd64
Snap-Device-Store: ubuntu

# A botnet just needs to rotate &delta-from-revision= across plausible integers
# to generate thousands of unique "legitimate" cache misses per second

The deeper issue is that open source infrastructure optimizes for accessibility, not for abuse resistance, and those two goals pull in opposite directions. A commercial CDN can fingerprint clients by browser behavior, TLS fingerprint, payment history, and account age. Ubuntu’s update infrastructure fingerprints clients by… architecture and snap revision. That’s it. The attack surface isn’t a bug in the code — it’s a deliberate design choice that made Ubuntu useful to hundreds of millions of devices, and now that same openness is what makes it hard to defend without breaking the thing everyone depends on.

Your apt Commands Failing Is a Canary — Here’s How to Diagnose It Fast

The thing that trips most people up is assuming apt update failing means their system is broken. Nine times out of ten it’s upstream — a DDoS-hammered CDN, a flapping origin, or a DNS cache serving stale records. The difference between “I’m down for 2 hours” and “I switched mirrors in 5 minutes” is knowing exactly which layer is broken before you start randomly changing things.

Start with the raw HTTP probe. This single command tells you everything:

curl -v https://archive.ubuntu.com/ubuntu/dists/jammy/Release 2>&1 | head -60

Read the response headers carefully. A Cloudflare 503 with CF-Ray in the headers means the request hit the CDN but got rejected upstream — Canonical’s origin is overwhelmed or intentionally rate-limiting. A straight connection timeout (curl just hangs then dies) usually means the CDN nodes themselves are degraded or the attack is saturating their ingress. A DNS resolution failure means you never even got to an IP. These three failure modes require completely different responses, and curl -v will tell you which one you’re dealing with in about 15 seconds.

Then run this to filter the noise out of apt‘s output:

sudo apt update 2>&1 | grep -E 'Err|Fail|timeout'

If you see errors on every line, it’s upstream. If only one or two mirrors fail while others succeed, your local network routing is probably fine and you’ve got a partial CDN outage hitting specific PoPs. The distinction matters — if only security.ubuntu.com is failing but archive.ubuntu.com works, you can defer security updates and keep installing packages in the meantime.

Check DNS separately. During active DDoS mitigation, Canonical sometimes rotates their Cloudflare IP pool, and if your resolver is caching aggressively you can get stranded on invalidated IPs:

dig archive.ubuntu.com +short
# Should return multiple IPs in 104.x.x.x or 185.x.x.x ranges (Cloudflare)
# If you see a single IP that doesn't respond, flush your resolver cache:
sudo resolvectl flush-caches   # systemd-resolved
# or
sudo systemd-resolve --flush-caches

If dig returns nothing, or the same IP that curl just timed out on, you’ve confirmed stale DNS. Switch to 1.1.1.1 temporarily in /etc/resolv.conf or just hardcode the mirror by IP while you investigate.

The fastest actual fix when Canonical’s infrastructure is degraded: swap to a regional mirror. Edit /etc/apt/sources.list and replace archive.ubuntu.com with something geographically close that’s independently hosted:

# Backup first
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak

# Princeton mirror — well-maintained, rarely down
# Replace all instances:
sudo sed -i 's|http://archive.ubuntu.com/ubuntu|http://mirror.math.princeton.edu/pub/ubuntu|g' /etc/apt/sources.list

# Confirm it works before committing
sudo apt update

Other mirrors worth knowing: mirrors.kernel.org/ubuntu (Linux Foundation hosted, high availability), ubuntu.mirrors.ovh.net/ubuntu if you’re in Europe, and mirror.cs.jmu.edu/pub/ubuntu as a US academic backup. The Ubuntu Mirror List on Launchpad shows official mirrors with their sync status. Don’t just grab a random mirror — verify it shows “Up to date” and is on the official list. Once Canonical’s infrastructure recovers, revert with sudo cp /etc/apt/sources.list.bak /etc/apt/sources.list and you’re back on the main CDN.

Mitigation Layer 1: Edge Protection — What Canonical Could Do and What You Should Do

The mistake most people make when they say “we’re behind Cloudflare” is conflating two completely different products. Cloudflare CDN proxies your HTTP traffic and can absorb application-layer (L7) floods, but if the attacker sends enough raw volumetric traffic to saturate your upstream pipe before packets even reach Cloudflare’s reverse proxy, CDN protection becomes irrelevant. Your origin’s ISP drops the connection. Cloudflare Magic Transit is the answer to that specific problem — it announces your IP prefixes via BGP from Cloudflare’s network, so attack traffic gets absorbed at the network edge before it travels anywhere near your AS. For an infrastructure target like Canonical’s mirror and package delivery network, the distinction is critical. Ubuntu mirrors aren’t just web apps; they’re high-throughput file servers that need volumetric protection at the IP layer, not just request filtering at L7.

Magic Transit requires you to bring your own IP space (a /24 minimum) and set up GRE or CNI tunnels back to your origin. It’s not cheap — pricing is enterprise-negotiated — but for any organization running public infrastructure at Canonical’s scale, CDN-only is the wrong tool. The failure mode is predictable: attack ramps up, CDN happily proxies it until the pipe saturates, then your origin ISP’s upstream router starts dropping everything including legitimate traffic. Magic Transit sidesteps this entirely by absorbing the flood at Cloudflare’s PoPs via Anycast. That segues directly into why Anycast matters so much here.

Anycast routing means the same IP prefix is advertised from dozens of PoPs simultaneously, so BGP routes attack traffic to the geographically nearest PoP rather than concentrating it all at one origin. A 500 Gbps flood that would kill a single datacenter gets split across, say, 15 PoPs each seeing 30–40 Gbps — well within mitigation capacity. For Canonical’s archive.ubuntu.com and CDN mirror endpoints, this is a force multiplier that costs nothing extra once you’re on Magic Transit. You’re basically weaponizing the attacker’s own distribution against them.

At the application layer, rate limiting the /ubuntu/dists/ endpoints is something you can do right now even on a standard Cloudflare paid plan. Package index endpoints — InRelease, Packages.gz, Release — are perfect DDoS amplification targets because they’re large files served without authentication. A simple Cloudflare WAF rate limit rule that caps unauthenticated bulk GETs to these paths to something like 50 requests per minute per IP dramatically reduces the automated scraping surface without touching real apt clients, which batch their requests and don’t hammer the endpoint in tight loops. Here’s what that rule looks like in Terraform:

resource "cloudflare_rate_limit" "ubuntu_dists" {
  zone_id   = var.zone_id
  threshold = 50
  period    = 60  # seconds — intentionally tight for unauthenticated bulk GETs

  match {
    request {
      url_pattern = "*example.com/ubuntu/dists/*"
      schemes     = ["HTTPS"]
      methods     = ["GET", "HEAD"]
    }
  }

  action {
    mode    = "simulate"  # flip to "ban" once you've validated false positive rate
    timeout = 300
  }
}

Start in simulate mode, watch the logs for 24 hours, then flip to ban. I’ve seen teams skip that step and block their own CI pipelines.

When an attack is actively in progress and you need to escalate right now without touching the dashboard, Cloudflare’s API is your friend. “Under Attack Mode” enables a JavaScript challenge for every visitor, which kills the vast majority of volumetric bot traffic because bots don’t execute JS. One API call does it:

curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/security_level' \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'Content-Type: application/json' \
  --data '{"value":"under_attack"}'

Wire this into your incident runbook as step one, not an afterthought. The thing that catches people off guard is that “Under Attack Mode” will break apt clients — they don’t handle JS challenges — so for a package mirror you’d want this as a last resort or scoped to specific paths, not the entire zone. A smarter approach is combining this with a Cloudflare WAF Custom Rule that bypasses the challenge for requests matching a known User-Agent header pattern like Debian APT, so your legitimate package clients stay unaffected while bots get challenged.

Mitigation Layer 2: nginx and HAProxy Config Hardening That Actually Holds Up

The thing that surprises most people about DDoS mitigation at the nginx/HAProxy layer isn’t the exotic stuff — it’s that the basic rate limiting configs most tutorials show you are subtly broken in ways that only reveal themselves under actual load. I’ve been through enough incidents to know: you do not want to be learning what nodelay does at 2am when your syn backlog is overflowing.

Connection Limiting: Why Zone Size Is Not a Footnote

The standard advice is to drop this in your nginx config and call it a day:

# /etc/nginx/nginx.conf — http block
# 10m shared memory zone holds ~160,000 unique IPs
# $binary_remote_addr is 4 bytes (IPv4) vs ~20 for $remote_addr — use binary
limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    # max 10 simultaneous connections per IP — reasonable for humans, brutal for bots
    limit_conn addr 10;
    limit_conn_log_level warn;
    limit_conn_status 429;
}

The zone size matters a lot under flood conditions. A 10m zone stores roughly 160,000 IPv4 states. During a botnet flood using distributed IPs, that fills up fast. When it fills, nginx’s behavior depends on your version — pre-1.23 it silently stops enforcing the limit. Post-1.23 it logs and rejects. Either way, you want to size the zone for your threat model, not your normal traffic. For infrastructure serving package repositories (which is exactly what Canonical runs), I’d go 32m minimum — that’s ~512,000 tracked IPs for about 32MB of shared memory. Not expensive.

Rate Limiting and the nodelay Flag That Actually Makes It Work

Most tutorials stop at defining the zone and enabling the burst. They don’t tell you what happens without nodelay: nginx spaces out requests in the burst queue across time, which means a bot hitting you with 35 requests in under a second gets 5 of them queued and served slowly instead of rejected. You’re still processing them. With nodelay, burst requests are served immediately but counted against the rate — once the burst is exhausted, everything else gets 429’d instantly.

# Define zone in http block — 30 requests per minute per IP
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;

server {
    location /api/ {
        # burst=5 allows a short spike, nodelay means those 5 don't sit in a queue
        # without nodelay you're still holding connections open for queued requests
        limit_req zone=api burst=5 nodelay;
        limit_req_status 429;
        limit_req_log_level warn;
    }

    location /ubuntu/dists/ {
        # Package index fetches — higher burst tolerance, same rate
        limit_req zone=api burst=20 nodelay;
    }
}

One gotcha: rate=30r/m translates internally to one request every 2 seconds. If legitimate package manager clients batch-fetch metadata, they’ll hit this. You need to tune burst based on actual apt-get update behavior, not theory. I typically trace a clean apt-get update run first and count the actual request bursts before setting these values in production.

HAProxy Pre-SSL Termination Blocking

The use point people miss with HAProxy is that you can drop connections before SSL handshake completes, which means you’re not burning CPU on TLS negotiation for known bad actors. For botnet CIDRs this is significant — TLS handshakes are expensive and a coordinated flood of them is a separate attack vector from raw volume.

# /etc/haproxy/haproxy.cfg
frontend https_front
    bind *:443 ssl crt /etc/ssl/certs/site.pem

    # Block at TCP layer before SSL — src lookup is O(1) with a sorted ACL
    tcp-request connection reject if { src -f /etc/haproxy/blocklist.acl }

    # Optionally track connection rates per IP for dynamic blocking
    tcp-request connection track-sc0 src
    tcp-request connection reject if { sc_conn_rate(0) gt 100 }

    default_backend web_back

# /etc/haproxy/blocklist.acl — one CIDR per line, HAProxy handles prefix matching
185.220.101.0/24
198.235.24.0/22
# Pull fresh lists from feeds like dan.me.uk/torlist or Emerging Threats

The blocklist file can be reloaded without a full restart: haproxy -sf $(cat /var/run/haproxy.pid). Pair this with a cron job pulling from threat intelligence feeds and you’ve got dynamic blocking that doesn’t require nginx reloads. The ACL lookup is fast enough that even with a 50,000-entry blocklist, per-connection overhead is negligible compared to the TLS cost you’re avoiding.

Kernel Tuning You Do Before the Attack, Not During

Trying to change somaxconn while under active SYN flood is too late — you’re already dropping legitimate connections and the kernel is in a bad state. Add this to /etc/sysctl.conf and apply it during provisioning:

# /etc/sysctl.conf
# Default somaxconn is 4096 on most distros — embarrassingly low for public infra
net.core.somaxconn = 65535

# SYN backlog — incomplete connections waiting for ACK
# Default 1024 means a moderate flood fills it in seconds
net.ipv4.tcp_max_syn_backlog = 65535

# SYN cookies: stateless defense, active when backlog fills
net.ipv4.tcp_syncookies = 1

# Don't cache metrics from closed connections (matters for returning attackers)
net.ipv4.tcp_no_metrics_save = 1

# Reduce TIME_WAIT socket recycling time
net.ipv4.tcp_fin_timeout = 15

# Apply without reboot
sysctl -p /etc/sysctl.conf

# Verify somaxconn took effect — nginx also caps at this value
cat /proc/sys/net/core/somaxconn

One thing that bit me: nginx has its own backlog parameter on the listen directive that defaults to 511. If you tune somaxconn to 65535 but leave nginx at the default, nginx wins — it passes its own backlog value to listen(2). Fix it explicitly: listen 443 ssl backlog=65535;. Same applies to HAProxy’s bind directive.

nginx Upstream Caching for Package Indexes During Partial Outages

During Canonical’s incident, one of the real pain points was origin servers getting hammered by retry storms from package managers. Caching the relatively static package index files at the edge proxy layer absorbs this automatically. The Ubuntu InRelease and Packages.gz files are perfect candidates — they change on a predictable schedule and are safe to serve slightly stale during an incident.

# /etc/nginx/nginx.conf — http block
proxy_cache_path /var/cache/nginx/ubuntu
    levels=1:2
    keys_zone=ubuntu_cache:20m
    max_size=10g
    inactive=60m
    use_temp_path=off;

server {
    location /ubuntu/ {
        proxy_pass http://ubuntu-origin-pool;
        proxy_cache ubuntu_cache;

        # Cache package indexes for 10 minutes — short enough to stay fresh
        # Long enough to survive origin flap during attack
        proxy_cache_valid 200 10m;

        # Serve stale if origin is unreachable — this is what saves you during incidents
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

        # Background revalidation — clients don't wait for origin refresh
        proxy_cache_background_update on;

        # Lock prevents cache stampede: only one request goes to origin per key
        proxy_cache_lock on;
        proxy_cache_lock_timeout 5s;

        add_header X-Cache-Status $upstream_cache_status;
    }
}

proxy_cache_lock is the config that prevents thundering herd during cache misses — without it, 500 concurrent clients hitting a cache miss all go to origin simultaneously. proxy_cache_background_update means a stale cache hit is returned immediately while nginx refreshes in the background, so clients never see latency spikes during revalidation. Together these two directives reduce origin load dramatically even under normal conditions, which makes the capacity margin much larger when you actually need it.

Mitigation Layer 3: Network-Level Defenses (iptables, nftables, and BGP Blackholing)

The surprising thing about the Canonical incident is how much of the damage could have been absorbed at layer 3 before a single packet hit an application server. Network-level defenses aren’t glamorous, but they’re the only tier that can handle genuine volumetric floods — your Nginx config does nothing when the NIC is saturated. The order matters: BGP blackholing stops floods at the edge, RPKI prevents prefix hijacks, nftables handles the tail of the attack that gets through, and fail2ban cleans up the slow-burn scrapers that volumetric rules miss entirely.

nftables Rate Limiting That Actually Survives a Reboot

Most tutorials show you iptables one-liners and then gloss over the fact that those rules evaporate on reboot unless you’ve wired up iptables-persistent separately. nftables handles this natively through /etc/nftables.conf — systemd loads it automatically. The rate-limiting rule for new TCP connections looks like this:

# /etc/nftables.conf — add this inside your existing inet filter input chain
# This drops new TCP connections that exceed 100/s per-interface, not per-source.
# For per-source limiting you need a meter (see below).
nft add rule inet filter input \
  ip protocol tcp \
  ct state new \
  limit rate over 100/second burst 200 packets \
  drop

That rule is global — it limits total new TCP connection rate across the interface. For DDoS scenarios where you want per-source IP rate limiting (which is what you actually want against distributed attackers), you need a named meter:

table inet filter {
  meter connlimit {
    type ipv4_addr
    size 65535
    flags dynamic,timeout
  }

  chain input {
    type filter hook input priority 0; policy accept;

    # Drop source IPs that open more than 20 new TCP connections per second
    ip protocol tcp ct state new \
      add @connlimit { ip saddr timeout 10s limit rate over 20/second } \
      drop
  }
}

The timeout 10s keeps the meter from filling with stale entries during a long attack. Reload with systemctl reload nftables and check state with nft list meter inet filter connlimit — you’ll see source IPs accumulating in real time.

BGP RTBH: Why the NOC Relationship Has to Exist Before the Attack

Remote Triggered Black Hole routing is the only defense that works against a volumetric attack that fills your uplinks. The concept is simple: you advertise a /32 (or /128 for IPv6) for the victim IP with a community string your upstream recognizes as “null-route this.” Your provider then drops traffic to that IP at their edge — before it ever reaches your pipes. For Canonical’s mirror infrastructure, this means a single BGP announcement can stop a flood from 50,000 source IPs within the BGP convergence time, usually 2–5 minutes.

The catch is that this requires a pre-established relationship and a signed agreement with your transit providers. You can’t call your NOC mid-attack and ask them to enable RTBH on your account for the first time. The community string varies by provider — Hurricane Electric uses 6939:666, Lumen uses 3356:9999 — so you need to know these ahead of time and have your router configs templated. A practical trigger command from a Juniper MX during an active attack:

# Null-route a specific victim prefix via RTBH community
set routing-options static route 185.125.190.0/24 discard
set routing-options static route 185.125.190.0/24 community 6939:666

# Commit and the announcement propagates to your transit peers
commit and-quit

Source-based RTBH (blocking attack source prefixes rather than the victim) is trickier because it requires your upstream to filter based on your announcement and they need to have enabled this feature for your session explicitly. But when it works, it’s surgical — you null-route the /24 the attack is coming from rather than taking your own service offline.

RPKI and Why Canonical’s Mirror Prefixes Need ROAs

During a DDoS, a secondary attack vector that’s easy to miss is prefix hijacking. An attacker can BGP-announce Canonical’s own IP space from a rogue AS and redirect mirror traffic — particularly poisonous for an apt mirror because clients will silently start downloading packages from an attacker-controlled host. RPKI (Resource Public Key Infrastructure) prevents this by cryptographically binding an IP prefix to an authorized origin AS via a Route Origin Authorization (ROA).

For Canonical, whose prefixes live in AS41231, a ROA for their mirror network would look like this when submitted to their RIR (RIPE, since they’re UK-based):

# ROA parameters submitted to RIPE's Certification portal or via the API
Prefix:     185.125.188.0/22
Max Length: 24
Origin AS:  AS41231

The Max Length: 24 is important — it authorizes Canonical to announce more-specific /24s for things like RTBH without those announcements being flagged as invalid. Routers with RPKI validation enabled will drop BGP announcements where the origin AS doesn’t match a valid ROA. Most Tier-1 providers now have RPKI validation deployed, so this has real teeth. Check your own prefix status at rpki-validator.ripe.net before you assume you’re covered.

fail2ban With a Custom apt Mirror Log Filter

Volumetric defenses handle floods, but apt mirror abuse is often more subtle — bots doing rapid sequential requests for Packages.gz, Release, and InRelease files at intervals that look like legitimate clients until you see 400 requests in 30 seconds from one IP. fail2ban with a custom filter catches this pattern after it gets through nftables.

First, write the filter that matches abnormal apt mirror access patterns in your Nginx access log:

# /etc/fail2ban/filter.d/apt-mirror-abuse.conf
[Definition]
# Match IPs hammering metadata files — the signature of a mirror scanner
# or a misconfigured apt client doing infinite retry loops
failregex = ^ .* "GET /ubuntu/dists/.*(Packages|Release|InRelease|Sources)(\.gz|\.xz|\.bz2)?" (200|304) .*$

# Ignore normal user agents — real apt sends a specific UA
ignoreregex = .*Debian APT-HTTP/1.3.*

Then wire it up in a jail:

# /etc/fail2ban/jail.d/apt-mirror.conf
[apt-mirror-abuse]
enabled   = true
filter    = apt-mirror-abuse
logpath   = /var/log/nginx/mirror-access.log
maxretry  = 60       # 60 metadata hits...
findtime  = 30       # ...within 30 seconds = scanner behavior
bantime   = 3600     # ban for 1 hour
action    = nftables-multiport[name=apt-mirror, port="80,443", protocol=tcp]

The nftables action backend (nftables-multiport) is available in fail2ban 0.11.2+ and is cleaner than the iptables backend on systems running nftables natively. Test your filter against real logs before deploying: fail2ban-regex /var/log/nginx/mirror-access.log /etc/fail2ban/filter.d/apt-mirror-abuse.conf — you’ll see match counts and can tune maxretry without burning legitimate clients who run apt update frequently in CI pipelines.

Building Resilience Into Your Own apt/snap Dependency Chain

The Canonical DDoS incident exposed something uncomfortable: most teams treat apt and snap infrastructure as someone else’s problem until it becomes their problem at 2am during a production deploy. I spent a week after that outage hardening our dependency chain, and the changes were overdue regardless of who was getting attacked.

Mirror Ubuntu’s APT Repos With aptly

apt-mirror still works but aptly is the tool I actually want to use — it has proper snapshot semantics, so you can freeze a point-in-time mirror and test against it before rolling forward. Start with creating the mirror:

# Create the mirror — architectures flag matters, don't skip it
aptly mirror create -architectures='amd64' ubuntu-jammy http://archive.ubuntu.com/ubuntu jammy main

# Pull the index (doesn't download packages yet)
aptly mirror update ubuntu-jammy

# Create a snapshot — this is the actual value of aptly over apt-mirror
aptly snapshot create jammy-2025-06-01 from mirror ubuntu-jammy

# Publish it to a directory your nginx can serve
aptly publish snapshot jammy-2025-06-01 filesystem:local:

The snapshot step is what I actually care about. With apt-mirror you get a live-rolling mirror — great for staying current, useless if you need reproducibility. With aptly snapshots, your staging environment can pin to jammy-2025-06-01 while production promotes on a two-week lag. When Canonical’s CDN is degraded, your fleet doesn’t notice because it’s hitting your own nginx on your own infra.

Snap Store Proxy for Your Fleet

Every snap-enabled machine in your fleet does a refresh check every 4 hours by default, phoning home to api.snapcraft.io. At 50+ machines this becomes real outbound dependency. The snap-store-proxy package gives you an on-prem proxy that handles those requests:

# Install the proxy (requires Ubuntu 18.04+ host)
sudo snap install snap-store-proxy

# Register it — you need a Canonical account for this step
sudo snap-store-proxy register

# Point your clients at it
sudo snap set system proxy.store=http://your-proxy-host:8080

The honest trade-off: setup takes a couple of hours and you need a Canonical account to register, which adds a bit of irony given the goal is reducing Canonical dependency. But once it’s running, refresh failures are your infra team’s problem to debug locally, not a mystery network issue to a CDN endpoint you can’t inspect.

Pinning Package Versions in CI

The pattern that bites teams hardest during CDN outages isn’t the outage itself — it’s that their CI pipelines run apt-get install nginx and silently pull whatever version happens to be available, or fail because the package index is stale. Both outcomes are bad. The fix is explicit:

# Don't do this — version floats with whatever apt resolves
RUN apt-get install -y nginx

# Do this — deterministic, fails loudly if the version isn't in your mirror
RUN apt-get install -y nginx=1.24.0-2ubuntu7

# And if you want to verify what's available before pinning:
apt-cache policy nginx

Pin versions in your Dockerfiles and your CI .yml files both. I keep a packages.env file in the repo root with pinned versions as env vars, then reference them in the Dockerfile. When you need to update, it’s one PR with an explicit diff showing what changed and why — reviewers can actually reason about it.

apt-cacher-ng for Smaller Teams

If you have a handful of servers and don’t want to deal with running a full aptly setup, apt-cacher-ng is the right tool. It’s a caching forward proxy, not a mirror — requests still go out to Canonical, but cached packages serve locally on repeat hits. Setup is five minutes:

# Install and start
sudo apt-get install apt-cacher-ng
sudo systemctl enable --now apt-cacher-ng

# Client machines point to it
echo 'Acquire::http::Proxy "http://your-cache-host:3142";' \
  | sudo tee /etc/apt/apt.conf.d/01proxy

The config file lives at /etc/apt-cacher-ng/acng.conf and the one setting that will burn you is PassThroughPattern. By default, apt-cacher-ng can’t proxy HTTPS repos — it handles HTTP and rewrites certain URLs, but HTTPS connections need to pass through as tunnels. If you have any third-party repos using HTTPS (and you almost certainly do), add them explicitly:

# In /etc/apt-cacher-ng/acng.conf
# Allow HTTPS repos to pass through — without this, they silently fail or error
PassThroughPattern: .*security\.ubuntu\.com.*
PassThroughPattern: .*ppa\.launchpad\.net.*
PassThroughPattern: .*download\.docker\.com.*

The failure mode when PassThroughPattern is wrong is confusing — you’ll see SSL errors on the client that look like cert issues but are actually the proxy refusing to tunnel. I’ve watched three different engineers spend 45 minutes debugging that before realizing the fix was a one-liner in acng.conf. Set it explicitly for every HTTPS source in your sources.list files and you won’t hit it.

Observability: Knowing You’re Under Attack Before Your Users Do

The thing that catches most teams off guard during a volumetric attack isn’t the actual outage — it’s the 20-minute window before it where everything looks fine to your monitoring but your infrastructure is quietly choking. By the time your uptime monitor pages someone, half your users have already given up and left. The metrics that betray an attack early are almost never the ones you’re watching by default.

Two Prometheus metrics from node_exporter will spike before your CPU or bandwidth alerts fire. node_netstat_Tcp_CurrEstab tracks the number of TCP connections currently in ESTABLISHED state — under normal load this is relatively stable. node_sockstat_TCP_inuse tracks sockets in use across the TCP stack more broadly. During a SYN flood or connection exhaustion attack, both of these climb sharply while your request rate might still look plausible. Wire up Prometheus alerting rules like this:

- alert: TCPConnectionSurge
  expr: node_netstat_Tcp_CurrEstab > 8000
  for: 2m
  labels:
    severity: warning
  annotations:
    summary: "TCP established connections abnormally high: {{ $value }}"

- alert: TCPSocketExhaustion
  expr: node_sockstat_TCP_inuse > 10000
  for: 1m
  labels:
    severity: critical
  annotations:
    summary: "TCP sockets in use crossing threshold: {{ $value }}"

Tune those thresholds against your own baseline — scrape a week of normal traffic first. The key is the for duration: set it too short and you’ll wake someone up for a legitimate traffic spike; too long and you’ve already missed the early window. Two minutes on the warning, one minute on critical is where I landed after too many false pages.

Your uptime monitor almost certainly checks HTTP 200 and calls it a day. The problem is that under load, many web servers will return a 200 with a cached error page, a CDN stub page, or a completely empty body before they start returning actual 5xx errors. Canonical’s archive infrastructure would serve degraded responses long before clean HTTP errors propagated. Replace your status-code check with a content-validation check. A dead simple synthetic monitor with nothing but curl and cron catches this:

#!/bin/bash
# /usr/local/bin/check_launchpad.sh
# Validates response body content, not just HTTP status

ENDPOINT="https://launchpad.net/ubuntu"
EXPECTED_STRING="Ubuntu"
RESPONSE=$(curl -s --max-time 5 --write-out "%{http_code}" "$ENDPOINT")
HTTP_CODE="${RESPONSE: -3}"
BODY="${RESPONSE%???}"

if [[ "$HTTP_CODE" != "200" ]] || [[ "$BODY" != *"$EXPECTED_STRING"* ]]; then
  echo "$(date): FAIL - HTTP $HTTP_CODE, body match: false" >> /var/log/launchpad_check.log
  # pipe to your alerting: curl -X POST your-slack-webhook -d '{"text":"Launchpad degraded"}'
else
  echo "$(date): OK" >> /var/log/launchpad_check.log
fi

# add to crontab -e
*/1 * * * * /usr/local/bin/check_launchpad.sh

Run this every minute from a machine that isn’t in your own network. The response time from --write-out "%{time_total}" is also worth logging separately — latency creeping from 200ms to 1400ms is a canary you’ll miss if you only care about success/fail.

For real-time traffic pattern analysis without standing up an ELK stack, goaccess is genuinely underrated. Run it directly against a live nginx log and it gives you a visual terminal dashboard that updates as requests come in:

# real-time HTML report served on port 7890, tailing the active log
goaccess --log-format=COMBINED /var/log/nginx/access.log \
  --real-time-html \
  --output=/var/www/html/report.html \
  --port=7890 \
  --ws-url=wss://yourserver.example.com:7890

# or just terminal output if you don't need the HTML
tail -f /var/log/nginx/access.log | goaccess --log-format=COMBINED -

What you’re looking for isn’t high request volume in isolation — it’s the pattern. During an attack you’ll see the same 4–6 IP ranges dominating the top requestors panel, identical User-Agent strings flooding the agents view, and request paths that make no sense (hitting /ubuntu/pool/main/ directly instead of going through a mirror). GoAccess surfaces all three of those visually in about 10 seconds of eyeballing. It won’t page you, but it’s the fastest “what is actually happening right now” tool I’ve used, and it needs zero infrastructure beyond a package install.

One last thing that bit me: most hosted uptime monitors check from a single region by default. An attacker targeting a specific CDN PoP or anycast node might take down your service for users in Frankfurt while your monitor in Virginia keeps getting a clean 200. Pay for multi-region checks or run your curl synthetic from at least two different cloud providers in different continents. The extra cost is trivial; the difference in detection time during a geographically-targeted attack is not.

Honest Take: What Canonical Did Right and Where the Gap Is

The status page thing burned me the most. I had engineers pinging me asking if the outage was confirmed or if it was just our environment, and status.canonical.com was sitting there showing partial degradation while the actual impact was clearly total. That 20+ minute lag between reality and the status page isn’t a communications failure — it’s a tooling failure. A status page that gets updated manually during an active incident is a liability. Atlassian Statuspage has auto-incident triggers via API, Better Uptime can flip status automatically from monitor probes — there’s no excuse in 2026 for a status page that requires someone to remember to update it while they’re also fighting a fire.

The CDN story is actually interesting when you look at what recovered and when. archive.ubuntu.com came back meaningfully faster than Launchpad, and that’s not a coincidence — archive mirrors are static file trees that edge nodes can cache aggressively. Fastly and Cloudflare can absorb volumetric attacks against static content at a fundamentally different scale than they can protect dynamic API surfaces. The Snap CDN held better than Launchpad’s API endpoints for the same reason: a 50MB binary blob that gets cached at the PoP is nearly impervious to L7 floods once it’s warm in cache. A Launchpad bug tracker query hits auth, hits a DB, hits session state — no edge cache protects that.

The real infrastructure gap is upstream RTBH coordination. Remote Triggered Blackhole routing needs to be pre-negotiated with Tier-1 upstreams before an attack starts, not requested during one. If Canonical doesn’t have standing RTBH agreements with their transit providers (the public evidence suggests the response time was slow enough that they probably didn’t have fast-path agreements), that’s the single highest-ROI fix they could make. The conversation with Lumen, NTT, or Cogent should happen in a quarterly review, not in a Slack DM at 2am when you’re already getting punched. BGP Flowspec is the next tier up — it lets you push drop rules to upstream routers programmatically without manual coordination.

What a published incident runbook with SLOs would actually buy them: right now, nobody outside Canonical knows whether “investigating” means 20 minutes or 4 hours. If their runbook said something like “CDN-protected properties: target recovery within 45 minutes, Launchpad API surface: 2–4 hours for sustained volumetric attacks”, operators could make real decisions — spin up a mirror, delay CI pipelines, switch package sources. Instead everyone just refreshed the status page. Cloudflare publishes their incident SLOs internally and surfaces them externally in incident updates; it meaningfully reduces the noise in their community forums during outages because people have an anchor expectation.

One thing Canonical genuinely got right: their layered CDN investment meant the attack didn’t cascade into a total blackout. The fact that snap install kept working for many users while Launchpad was down shows the architecture has real segmentation. That’s not nothing — a naive single-datacenter setup would have taken everything down simultaneously. If you’re building out your own infrastructure protection stack or evaluating vendor tooling for DDoS response, the Essential SaaS Tools for Small Business in 2026 guide covers the monitoring and incident-response layer worth having alongside your CDN setup.

When to Pick What Mitigation Strategy Based on Your Scale

The mistake I see constantly is people Googling “DDoS protection” and landing on enterprise solutions when they’re running a $5 VPS, or going the opposite direction — slapping Cloudflare free tier in front of a 200-server fleet and wondering why their apt mirrors are getting hammered. Scale dictates the right tool here more than almost any other factor in infrastructure security.

Single Server / Indie Project

Cloudflare free tier plus two local tools is genuinely enough for most small projects. The combination stops the vast majority of volumetric attacks before they touch your box, and the total cash outlay is zero. Here’s the actual setup I’d run:

# /etc/nginx/conf.d/rate_limit.conf
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=general:10m rate=100r/m;

server {
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        limit_req_status 429;
    }
    location / {
        limit_req zone=general burst=20;
    }
}

# /etc/fail2ban/jail.local — add alongside default ssh jail
[nginx-limit-req]
enabled  = true
port     = http,https
logpath  = /var/log/nginx/error.log
maxretry = 5
findtime = 60
bantime  = 3600

The thing that catches people out: Cloudflare free tier doesn’t include WAF rules. You get DDoS mitigation at layers 3 and 4, but application-layer attacks (slow POST floods, credential stuffing) will still reach nginx. That’s where the limit_req rules earn their keep. Set bantime to something longer than 3600 if you’re seeing repeat offenders — I run 86400 on anything that triggers more than 20 times in a day.

Small Team (5–50 Servers)

At this scale your biggest vulnerability during a DDoS isn’t just your public-facing service — it’s your internal package distribution falling over while you’re trying to patch and respond. apt-cacher-ng keeps your servers pulling packages internally instead of hammering upstream mirrors (or timing out when your link is saturated). Cloudflare Pro at $20/month unlocks actual WAF rules including OWASP managed rulesets, which matters once you have real users. Layer nftables on top for stateful connection tracking:

# Limit new TCP connections per source to 60/minute
# Add to your nftables.conf inet filter input chain
ct state new tcp flags & (fin|syn|rst|ack) == syn \
    limit rate over 60/minute burst 100 packets drop

# Hard cap concurrent connections per IP
ct count over 100 drop

Grafana alerting on connection metrics is the piece most teams skip and then regret. Hook it into your node_exporter data and alert when node_netstat_Tcp_CurrEstab spikes beyond your baseline by 3x. You want the page going out before your users are screaming, not after. At this tier, Prometheus + Grafana running on one internal box costs you almost nothing and gives you the visibility to tell an attack from a traffic spike from a misconfigured client.

Mid-Size Org (50–500 Servers)

You’ve outgrown apt-cacher-ng’s “one node that caches” model. aptly lets you maintain actual signed mirrors of upstream repos with snapshot management — critical when you need to freeze packages during an incident and not have servers auto-upgrading while you’re firefighting. HAProxy with upstream health checks matters here because at 50+ servers you will have backends failing independently, and you need automatic removal from rotation without human intervention:

# haproxy.cfg snippet — aggressive health checks
backend apt_mirrors
    balance roundrobin
    option httpchk GET /dists/stable/Release
    default-server inter 5s fall 2 rise 3 slowstart 30s
    server mirror1 10.0.1.10:80 check
    server mirror2 10.0.1.11:80 check
    server mirror3 10.0.1.12:80 check backup

Cloudflare Business ($200/month) gets you custom WAF rules and 50 managed rulesets. The real unlock at this tier though is establishing a BGP relationship with your datacenter provider. Most DCs at the colo level will set up BGP sessions with you if you ask — this isn’t magic, you just need an ASN (ARIN/RIPE, ~$500-$1000/year) and a router that speaks BGP. This relationship is what makes the next tier’s tools actually work.

Canonical-Scale and Above

Cloudflare Magic Transit and AWS Shield Advanced are genuinely different products from everything below them. Magic Transit announces your IP prefixes via anycast across Cloudflare’s network, meaning attack traffic gets absorbed at the edge — your datacenter never sees the flood. AWS Shield Advanced at $3,000/month base includes DDoS response team access and cost protection for AWS resource scaling during attacks. Neither is overkill if you’re running public infrastructure that thousands of other organizations depend on for package downloads. RPKI route origin validation stops BGP hijacking at the routing layer — you publish signed ROAs so that your prefixes can’t be announced from a rogue AS. Pre-negotiated RTBH (Remotely Triggered Blackhole) with your upstream ASNs means you can signal “drop all traffic to this /32” in under two minutes via a BGP community tag, before the attack fully saturates your transit links.

The BGP Reality Check Most People Hit Hard

Every article about DDoS mitigation eventually mentions BGP blackholing like it’s a checkbox you tick. The honest reality: if you’re on shared hosting, a consumer VPS at DigitalOcean, Linode, or Hetzner’s cheapest tier, none of this is available to you. These providers manage the BGP routing. You don’t have a BGP session. You can’t announce communities. You can’t RTBH. Your options at that tier are strictly Cloudflare-proxied traffic or absorbing the hit. Dedicated servers at proper colo facilities, or providers that explicitly offer BGP sessions (Vultr’s BGP offering, some Hetzner dedicated configs, Equinix Metal) are where this tooling becomes accessible. If you’re planning infrastructure where BGP-level response matters, bake that into your hosting decision from day one — retrofitting it later means migrating IP space and ASN configuration, which is exactly the wrong time to be doing paperwork.

---

---