Skip to content
Tech News
← Back to articles

Can Someone Please Explain Whether Cloudflare Blackmailed Canonical?

2026-05-11 | original
read original get Cloudflare SSL Security Bundle → more articles
Why This Matters

This incident highlights the complex role of CDN providers like Cloudflare in cybersecurity, where their infrastructure can be exploited by malicious actors to conduct attacks or facilitate blackmail. It underscores the importance for tech companies and consumers to understand the vulnerabilities and dependencies associated with cloud-based security services, especially when they are used as both protectors and potential attack vectors.

Key Takeaways

30 April 2026, 16:33:37 UTC. Canonical’s incident monitoring system marks blog.ubuntu.com as Service Down.

Within ten minutes the rest of the company’s public web was down as well: the main site ubuntu.com, the security advisory APIs that downstream package management depends on, the developer portal, the corporate site, the training platform. These disruptions ran for roughly twenty hours.

1 May 2026, 12:44 UTC. Service Restored.

The group claiming responsibility for the attack said it used a paid service. They named one tool they had rented: a commercial denial-of-service product called Beamed, sold under multiple TLDs, with beamed.su serving as the marketing and blog site and beamed.st serving as the customer login portal. The April 2026 blog post “How to Bypass Cloudflare with Advanced Stresser Methods” advertises three named techniques for defeating Cloudflare protection, including residential IP rotation and manual “endpoint hunting” to locate origin servers. Beamed is explicit about what it sells:

Cloudflare acts as a reverse proxy, hiding the origin server’s IP address. Many low-quality booters fail against “Under Attack Mode” or Bot Fight Mode. Beamed.su employs several advanced techniques to effectively stress test websites protected by Cloudflare and similar CDNs.

The blog post hosting this paragraph is itself served by Cloudflare. The product sold is Cloudflare bypass. The hosting provider for the seller is Cloudflare.

A week after the attack, beamed.su and beamed.st remain online. Both resolve to Cloudflare AS13335 addresses. Canonical’s two repository endpoints, security.ubuntu.com and archive.ubuntu.com, also resolve to Cloudflare AS13335 addresses, as a paid customer relationship.

Cloudflare fronts attackers for free and bills the victims for relief.

The question I repeatedly have been asked is whether what just happened amounts to blackmail, and how the actor that claimed responsibility (a self-described pro-Iranian group calling itself the Islamic Cyber Resistance in Iraq, also styled as 313 Team) ends up renting attack capacity from a service whose front-end infrastructure is operated by the same company that Canonical eventually paid for relief.

Beamed’s consumer-facing domains are registered through a registrar called Immaterialism Limited, which sells domain registration on a flat-rate basis and via a JSON API. Cheap, automated registration with zero friction is typically associated with abuse hosting. Immateriali.sm is itself proxied through Cloudflare nameservers (tani.ns.cloudflare.com and trey.ns.cloudflare.com).

... continue reading

Explore topics: cloudflare canonical ddos beamed reverse proxy
Related:
Can someone please explain whether Cloudflare blackmailed Canonical?
Docker images are MB; a full game engine compiles to 35MB WASM
Docker images are hundreds of MB; a full game engine compiles to 35MB WASM
Cloudflare cuts 20% of its jobs due to AI, and its stock takes a 19% spill — 1,100 jobs disappearing as company increased usage of AI sixfold over past months
Cloudflare says AI made 1,100 jobs obsolete, even as revenue hit a record high

© 2026 GoKawiil

About | Editorial Policy | Contact