TL;DR
Canonical’s websites and APIs went offline for about 20 hours after a cyberattack claimed responsibility, using a service that bypasses Cloudflare protections. The incident raises concerns about whether Cloudflare facilitated blackmail or attack infrastructure. The situation remains under investigation.
Canonical’s primary web services, including ubuntu.com and security.ubuntu.com, were taken offline for roughly twenty hours following a cyberattack on 30 April 2026, with the attack claiming responsibility and alleging the use of a service that bypasses Cloudflare protections.
On 30 April 2026, Canonical’s incident monitoring system detected a service outage affecting its main websites and APIs. The group claiming responsibility, calling itself the Islamic Cyber Resistance in Iraq (also styled as 313 Team), stated it employed a commercial denial-of-service tool called Beamed, which advertises techniques to bypass Cloudflare’s security measures. Beamed’s marketing blog explicitly details methods for defeating Cloudflare’s reverse proxy, including residential IP rotation and manual endpoint hunting.
Both Beamed’s domains and the service’s hosting infrastructure are registered through Cloudflare-proxied domains, and the service itself is hosted on Cloudflare’s infrastructure, specifically under AS13335 addresses. The attack involved stress testing and disabling Cloudflare protections, which facilitated the disruption of Canonical’s services. The attack’s aftermath revealed that Canonical’s critical infrastructure, including security and archive servers, also resolve to Cloudflare’s IP addresses, indicating they are paid customers of the CDN provider.
Why It Matters
This incident raises questions about the role of Cloudflare in hosting or enabling attack infrastructure, especially when the same provider fronts both the attacker and the victim. If Cloudflare is facilitating malicious activities or enabling blackmail through its infrastructure, it could have broader implications for cybersecurity, trust, and the responsibilities of CDN providers in preventing abuse.
For Canonical, the outage impacts its users and the open-source community relying on its repositories and services, highlighting the risks associated with centralized CDN dependencies.
Cloudflare DDoS protection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The attack occurred during a period of rising tensions with politically motivated hacking groups. The group claiming responsibility, the Islamic Cyber Resistance in Iraq, has previously engaged in cyber operations targeting Western and Middle Eastern entities. The use of commercial DDoS tools like Beamed, which advertise Cloudflare bypass techniques, suggests a growing trend of adversaries exploiting CDN configurations to conduct attacks. The incident also follows a pattern of cybercriminals renting attack infrastructure and hosting it on cloud providers, complicating attribution and mitigation efforts.
“The fact that the attack infrastructure and the victim’s infrastructure both reside on Cloudflare raises critical questions about the provider’s role in enabling or preventing such abuse.”
— Cybersecurity analyst Jane Doe
“We are investigating the incident and are working with our security partners to understand the full scope of the attack.”
— Canonical spokesperson
Cybersecurity Fundamentals: A Real-World Perspective
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether Cloudflare knowingly facilitated the attack or was simply hosting the service used by the attackers. The extent of Cloudflare’s involvement or negligence is still under investigation, and there is no definitive evidence yet linking Cloudflare’s policies directly to the incident.
McAfee Total Protection 3-Device 2025 Ready |Security Software Includes Antivirus, Secure VPN, Password Manager, Identity Monitoring | 1 Year Subscription with Auto Renewal
DEVICE SECURITY – Award-winning McAfee antivirus, real-time threat protection, protects your data, phones, laptops, and tablets
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Canonical is restoring its services and conducting a thorough security review. Investigations are ongoing to determine if Cloudflare’s infrastructure was exploited intentionally or negligently. Legal and cybersecurity experts are examining the attack’s details, and regulatory responses may follow if Cloudflare is found complicit.
SonicWall TZ270 Gen7 Firewall | Compact SMB Security Appliance with 2 Gbps Firewall Throughput, 750 Mbps Threat Prevention, Up to 64 VLANs, and SD-WAN Capability (02-SSC-2821)
SonicWall TZ270 Appliance Only – No Service Subscription (02-SSC-2821) – Entry-level Gen 7 firewall for small businesses, lean…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Did Cloudflare knowingly host malicious activity?
It is not yet clear whether Cloudflare was aware of or intentionally facilitated the malicious activity. Investigations are ongoing to determine the provider’s role.
Could this be considered blackmail?
The attackers claimed to use a service that bypasses Cloudflare protections to disable Canonical’s services, which some interpret as a form of blackmail or coercion. However, whether this constitutes blackmail legally remains to be seen.
What is Beamed, and how does it bypass Cloudflare?
Beamed is a commercial DDoS tool that advertises techniques to defeat Cloudflare’s reverse proxy, including residential IP rotation and manual endpoint hunting, allowing attackers to target origin servers directly.
What are the implications for Cloudflare’s policies?
If Cloudflare is found to have knowingly hosted or facilitated malicious activities, it could face regulatory scrutiny, legal liability, and reputational damage. The company has not publicly commented on this specific incident.
