Arch’s AUR has been busy battling DDoS attacks and malware. Trouble’s not over—and it’s anybody’s guess what’s next… if anything.
It hasn’t been a good summer for the folks maintaining the Arch User Repository at Arch Linux. For about a week now, AUR has been under a sustained distributed-denial-of-service attack that’s made the site difficult — but not impossible — to reach.
Although there’s been no official statement about the attack from the Arch project, we can surmise from the fact that connecting with the repository is still possible — albeit with great difficulty — that this isn’t one of those server-breaking attacks generating anywhere from six million to over 70 million requests per second. That doesn’t matter, because smaller, garden-variety sustained attacks below 100,000 RPS can cause plenty of headaches for admins and frustration for users.
It turns out, those incidents are just the latest in what was already a long, hot summer for AUR maintainers. In mid-July, Arch deleted three malicious AUR packages — targeting Firefox-based LibreWolf and Zen browsers, along with Firefox itself. They were infected with a Remote Access Trojan that created an open door that attackers could use to transfer files, execute commands, open reverse shells, steal data, and essentially take full control of a user’s computer.
About 10 days later, AUR deleted more malicious content in browser-related code. This time the target was the google-chrome-stable package, which was infected with similar malware.
The latest DDOS attacks aren’t anywhere near as worrisome since — on the surface at least — they don’t appear to pose a security threat. They’re still a pain in the keister for the DevOps teams tasked with the job of keeping AUR available, the app developers who need to keep their software available, and users of Arch-based Linux distributions needing to install apps.
According to social chatter, mainly on Reddit, Cloudflare has reached out to AUR with an offer to help mitigate the attack, but there’s no indication that Arch or AUR has accepted that offer — likely on philosophical grounds. From what I’ve been able to observe, as of this writing AUR availability remains spotty.
I’ll let you know more as soon as I know more.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment