Arch Linux Takes A Pounding As DDoS Attack Enters Week Two

Some joyless ne'er-do-well has loosed a botnet on the community-driven Arch Linux distro, with a distributed denial of service (DDoS) attack now in its second week of sustained disruption.

"The Arch Linux Project is currently experiencing an ongoing denial of service attack that primarily impacts our main webpage, the Arch User Repository (AUR), and the Forums," Arch maintainer Cristian Heusel wrote in an announcement on the project's website.

"We are aware of the problems that this creates for our end users and will continue to actively work with our hosting provider to mitigate the attack. We are also evaluating DDoS protection providers while carefully considering factors including cost, security, and ethical standards.

"As a volunteer-driven project, we appreciate the community's patience as our DevOps team works to resolve these issues. Please bear with us and thank you for all the support you have shown so far."

Arch was founded in 2002 by Judd Vinet as an alternative to the lightweight CRUX Linux distribution and is perhaps best known for its in-depth community-provided documentation hosted on the ArchWiki. The attack comes as the project has been enjoying a boost in mainstream success. The distro was picked by Valve to underpin the SteamOS software running on its Steam Deck handheld gaming gadget, with the company providing the project with funding for further development. Late last year, a new version of the archinstall tool was released, with a view to making the system more friendly to newcomers.

The motive behind the attack is unknown. While Arch is often the butt of jokes regarding its popularity among technohipster types – "I run Arch, by the way" being their equivalent of "I'm a vegan, by the way" or "I do CrossFit, by the way" – that seems unlikely to push someone with more botnet nodes than brain cells to sustain a week-long and counting attack.

• Opinionated Arch derivative CachyOS overtakes Mint and MX on DistroWatch
• Arch Linux users told to purge Firefox forks after AUR malware scare
• BTW Windows Subsystem for Linux officially uses Arch now
• Arch Linux installer now slightly less masochistic

For now, the Arch team is working to mitigate the attack's impact, which highlights a bootstrapping issue. Tools designed to shift traffic to mirrors in the event the main infrastructure is unavailable rely on a mirror list obtained from that same main infrastructure, with Heusel advising that users should "default to the mirrors listed in the pacman-mirrorlist package" if tools like reflector fail. Installation media can be downloaded from a range of mirrors, too, but should be checked against the project's official signing key before being trusted.

For the times when the attack takes the Arch User Repository (AUR) offline, the process of installing or updating a package is a little more manual: the command git clone --branch <package_name> --single-branch https://github.com/archlinux/aur.git <package_name> will pull packages down from the project's GitHub infrastructure instead.

As for the precise nature of the attack, nobody in the project is sharing anything just yet. "We are keeping technical details about the attack, its origin, and our mitigation tactics internal," Heusel explained, "while the attack is still ongoing."

Interested parties can keep an eye on Arch's battle against the bots on the project's service status page. ®