Can someone please explain whether Cloudflare blackmailed Canonical?

查看原文 / View Original 编辑 / Edit

Can someone please explain whether Cloudflare blackmailed Canonical?

有人能解释一下 Cloudflare 是否勒索了 Canonical 吗?

30 April 2026, 16:33:37 UTC. Canonical’s incident monitoring system marks blog.ubuntu.com as Service Down. Within ten minutes the rest of the company’s public web was down as well: the main site ubuntu.com, the security advisory APIs that downstream package management depends on, the developer portal, the corporate site, the training platform. These disruptions ran for roughly twenty hours. 2026 年 4 月 30 日,协调世界时 16:33:37。Canonical 的事件监控系统将 blog.ubuntu.com 标记为服务中断。十分钟内,该公司其余的公共网络也随之下线:主站 ubuntu.com、下游包管理所依赖的安全公告 API、开发者门户、企业网站以及培训平台。这些中断持续了大约二十个小时。

1 May 2026, 12:44 UTC. Service Restored. The group claiming responsibility for the attack said it used a paid service. They named one tool they had rented: a commercial denial-of-service product called Beamed, sold under multiple TLDs, with beamed.su serving as the marketing and blog site and beamed.st serving as the customer login portal. 2026 年 5 月 1 日,协调世界时 12:44。服务恢复。声称对此次攻击负责的组织表示,他们使用了付费服务。他们点名了所租用的一种工具:一种名为 Beamed 的商业拒绝服务产品,该产品通过多个顶级域名(TLD)销售,其中 beamed.su 作为营销和博客网站,beamed.st 作为客户登录门户。

The April 2026 blog post “How to Bypass Cloudflare with Advanced Stresser Methods” advertises three named techniques for defeating Cloudflare protection, including residential IP rotation and manual “endpoint hunting” to locate origin servers. Beamed is explicit about what it sells: Cloudflare acts as a reverse proxy, hiding the origin server’s IP address. Many low-quality booters fail against “Under Attack Mode” or Bot Fight Mode. Beamed.su employs several advanced techniques to effectively stress test websites protected by Cloudflare and similar CDNs. 2026 年 4 月的博客文章《如何利用高级压力测试方法绕过 Cloudflare》宣传了三种击败 Cloudflare 防护的特定技术,包括住宅 IP 轮换和手动“端点搜寻”以定位源服务器。Beamed 对其销售的产品直言不讳:Cloudflare 作为反向代理,隐藏了源服务器的 IP 地址。许多低质量的攻击工具在面对“受攻击模式”(Under Attack Mode)或“机器人对抗模式”(Bot Fight Mode)时会失效。Beamed.su 采用了几种先进技术,能有效对受 Cloudflare 及类似 CDN 保护的网站进行压力测试。

The blog post hosting this paragraph is itself served by Cloudflare. The product sold is Cloudflare bypass. The hosting provider for the seller is Cloudflare. A week after the attack, beamed.su and beamed.st remain online. Both resolve to Cloudflare AS13335 addresses. Canonical’s two repository endpoints, security.ubuntu.com and archive.ubuntu.com, also resolve to Cloudflare AS13335 addresses, as a paid customer relationship. Cloudflare fronts attackers for free and bills the victims for relief. 托管这段文字的博客文章本身就是由 Cloudflare 提供服务的。所售产品是绕过 Cloudflare。卖家的托管服务商也是 Cloudflare。攻击发生一周后,beamed.su 和 beamed.st 依然在线。两者都解析到 Cloudflare 的 AS13335 地址。Canonical 的两个仓库端点 security.ubuntu.com 和 archive.ubuntu.com 也解析到 Cloudflare 的 AS13335 地址,作为付费客户关系存在。Cloudflare 免费为攻击者提供前端,却向受害者收取救济费用。

The question I repeatedly have been asked is whether what just happened amounts to blackmail, and how the actor that claimed responsibility (a self-described pro-Iranian group calling itself the Islamic Cyber Resistance in Iraq, also styled as 313 Team) ends up renting attack capacity from a service whose front-end infrastructure is operated by the same company that Canonical eventually paid for relief. 我被反复问到的问题是,刚刚发生的事情是否构成了勒索,以及声称负责的行动者(一个自称是伊拉克伊斯兰网络抵抗组织,也称为 313 团队的亲伊朗组织)是如何从一个服务商那里租用到攻击能力的,而该服务商的前端基础设施恰恰由 Canonical 最终付费寻求救济的同一家公司运营。

Beamed’s consumer-facing domains are registered through a registrar called Immaterialism Limited, which sells domain registration on a flat-rate basis and via a JSON API. Cheap, automated registration with zero friction is typically associated with abuse hosting. Immateriali.sm is itself proxied through Cloudflare nameservers (tani.ns.cloudflare.com and trey.ns.cloudflare.com). Beamed 面向消费者的域名是通过一家名为 Immaterialism Limited 的注册商注册的,该公司以统一费率并通过 JSON API 出售域名注册。廉价、自动化且零门槛的注册通常与滥用托管相关联。Immateriali.sm 本身也通过 Cloudflare 的名称服务器(tani.ns.cloudflare.com 和 trey.ns.cloudflare.com)进行代理。

Immaterialism Limited is registered at Companies House in the United Kingdom under company number 15738452. It was incorporated on 24 May 2024 with one director, Nicole Priscila Fernandez Chaves of Costa Rica (date of birth March 1993), at a mass-mailbox address on Great Portland Street in London. On 11 April 2025 Fernandez Chaves resigned the directorship while retaining 75 percent or more of the economic interest. The replacement director was Naomi Susan Colvin, a British national resident in England, appointed at the same address. Immaterialism Limited 在英国公司注册处注册,公司编号为 15738452。该公司成立于 2024 年 5 月 24 日,拥有一名董事,即来自哥斯达黎加的 Nicole Priscila Fernandez Chaves(出生于 1993 年 3 月),注册地址位于伦敦大波特兰街的一个群发邮件地址。2025 年 4 月 11 日,Fernandez Chaves 辞去董事职务,但保留了 75% 或以上的经济利益。接任董事是居住在英国的英国国民 Naomi Susan Colvin,任命地址相同。

Colvin is the former Director of the Courage Foundation, the legal-defence vehicle whose trustees have included Julian Assange, John Pilger, Vivienne Westwood, and Renata Avila, and which has supported beneficiaries including WikiLeaks and Barrett Brown. Her current role is UK and Ireland Programme Director at Blueprint for Free Speech, working on whistleblower protection and anti-SLAPP litigation. The legal campaign that prevented the extradition of Lauri Love to the United States ran under her direction. She is a longstanding activist. Colvin 是“勇气基金会”(Courage Foundation)的前任主任,该法律辩护机构的受托人包括朱利安·阿桑奇、约翰·皮尔格、薇薇安·威斯特伍德和雷娜塔·阿维拉,并支持过维基解密和巴雷特·布朗等受益人。她目前的职务是“言论自由蓝图”(Blueprint for Free Speech)的英国和爱尔兰项目主任,致力于举报人保护和反战略性诉讼(anti-SLAPP)。阻止劳里·洛夫(Lauri Love)被引渡到美国的法律运动就是在她的领导下进行的。她是一位资深的活动家。

On 26 February 2026 Immaterialism Limited filed two changes at Companies House on the same day: a registered office change (from 85 Great Portland Street to 167-169 Great Portland Street) and a change of details for Fernandez Chaves as person with significant control. The next day, 27 February 2026, the routing infrastructure that announces Beamed’s IP space and that of related services moved jurisdiction. 2026 年 2 月 26 日,Immaterialism Limited 在英国公司注册处同日提交了两项变更:注册办公地址变更(从大波特兰街 85 号变更为 167-169 号)以及作为重要控制人的 Fernandez Chaves 的详细信息变更。次日,即 2026 年 2 月 27 日,宣布 Beamed IP 空间及相关服务 IP 空间的路由基础设施转移了管辖权。

The autonomous system that announces Materialism’s address space is AS39287. RIPE allocated this AS number on 24 January 2006. Its routing identity has been preserved continuously since then, but its registered operator and the country of record have changed twice. From around 2017 to roughly 2020, AS39287 was held by Privactually Ltd, a Cypriot company, and operated under the name FLATTR-AS. Flattr was the micropayments project of Peter Sunde Kolmosoppi, one of the founders of The Pirate Bay. The abuse contact for prefixes under that registration was abuse@shelter.st. 宣布 Materialism 地址空间的自治系统是 AS39287。RIPE 于 2006 年 1 月 24 日分配了该 AS 号码。自那时起,其路由身份一直保持不变,但其注册运营商和记录国家已更改两次。从 2017 年左右到 2020 年左右,AS39287 由塞浦路斯公司 Privactually Ltd 持有,并以 FLATTR-AS 的名义运营。Flattr 是海盗湾创始人之一 Peter Sunde Kolmosoppi 的小额支付项目。该注册下前缀的滥用联系邮箱为 abuse@shelter.st

From 2020 to 2026, the same AS number was reassigned to ab stract ltd, a Finnish company at Urho Kekkosen katu 4-6E in Helsinki. Its maintainer object on the RIPE record was BKP-MNT. Named person of record: Peter Kolmisoppi (handle “brokep”), another founder of The Pirate Bay, with a Malmö postal address and the email noc@brokep.com. The authoritative nameservers for the operator’s domain abstract.fi were the three Njalla nameservers at njalla.fo, njalla.no, and njalla.in. Njalla is the privacy-as-a-service domain proxy founded by Peter Sunde and operated through 1337 Services LLC in St. Kitts and Nevis. Some prefixes under ab stract carried abuse contacts at cyberdyne.is. 从 2020 年到 2026 年,同一个 AS 号码被重新分配给位于赫尔辛基 Urho Kekkosen katu 4-6E 的芬兰公司 ab stract ltd。其在 RIPE 记录上的维护者对象是 BKP-MNT。记录在案的人员是海盗湾的另一位创始人 Peter Kolmisoppi(网名“brokep”),其地址位于马尔默,邮箱为 noc@brokep.com。该运营商域名 abstract.fi 的权威名称服务器是位于 njalla.fo、njalla.no 和 njalla.in 的三个 Njalla 名称服务器。Njalla 是由 Peter Sunde 创立并通过圣基茨和尼维斯的 1337 Services LLC 运营的隐私即服务域名代理。ab stract 下的一些前缀带有 cyberdyne.is 的滥用联系方式。

Reassignment on 27 February On 27 February 2026, at 12:11:48 UTC, RIPE recorded the third reassignment. AS39287 became the property of Materialism s.r.l., a Romanian company at Bulevardul Metalurgiei in Bucharest, operating under the name “materialism.” A Materialism RIPE membership had been provisioned five months earlier, on 30 September 2024, and had then sat dormant. The reassignment included the IPv4 prefix 45.158.116.0/22 and the IPv6 prefixes 2001:67c:2354::/48 and 2a02:6f8::/32, the last of which was originally allocated in August 2008 under the prior regime. The peering arrangements were preserved across all three transitions. AS39287 has continu 2 月 27 日的重新分配:2026 年 2 月 27 日,协调世界时 12:11:48,RIPE 记录了第三次重新分配。AS39287 成为罗马尼亚公司 Materialism s.r.l. 的财产,该公司位于布加勒斯特的 Bulevardul Metalurgiei,以“materialism”的名义运营。Materialism 的 RIPE 会员资格在五个月前(2024 年 9 月 30 日)已预置,随后一直处于休眠状态。此次重新分配包括 IPv4 前缀 45.158.116.0/22 以及 IPv6 前缀 2001:67c:2354::/48 和 2a02:6f8::/32,其中最后一个前缀最初是在 2008 年 8 月根据之前的制度分配的。对等互联安排在所有三次转换中均得以保留。AS39287 已持续……

← 返回新闻列表 / Back to news list