I know the Arch community is kind of rough, but any reason we know of that they're being targeted? Feels like a weird target for any major actors to prioritize for destabilization.
this post was submitted on 26 Dec 2025
191 points (99.5% liked)
Linux
10789 readers
1010 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
I feel like this all started around that time that there was that article that mentioned the most popular desktop environments on Arch Linux from repo stats where KDE plasma was the highest with over double gnome.
Clearly gnome foundation salty
with some interactions I've seen from GNOME fanboys on mastodon...honestly wouldn't put it past them. /s
The attacks started before that retarded non-news post. And no one actually cares about DE's, other that youngings still in their hopping phase.
I seem to recall hearing speculation that the person behind this had their AUR packages deleted because they were posting malware. I've only heard this second-hand so it could be complete bullshit, but it seems plausible given some of the fucking adult babies we have out in the world.
You don't have to be an adult to post malware and hire DDoS botnets
AUR malware and DDoS attacks are not even correlated, for there to be any minimally credible speculation about causation.
Such "speculation" would only come from someone very unintelligent who would see two news items about X within a smallish time frame (weeks), then obtusely start drawing connection lines between them where there is probably* none.
* We don't know who the malware spreaders or the DDoS attackers are. So we can't be 100% certain about anything. But indications point to script kiddies being behind AUR malware attempts. And a more sophisticated entity behind the DDoS attacks, not just some kid or an adult with a grudge paying a botnet, like some are sillily suggesting. One should also not forget that there was always the conspiracy theory that DDoS protection service providers are behind most DDoS attacks (before AI crawlers accidentally took that crown).
DDoS is cheap to buy on the dark web it could be anybody with a grudge and a few thousand USD. It often costs more to mitigate the attacks than to launch them.
Arch community is kind of rough
What?
We're kinda famous for not exactly being welcoming, and it's not undeserved.
Anybody more tech-savvy than my grandma can order botnet attacks nowadays. And due to it's memed community it's an obvious target.
On a more tinfoil hat note: Arch is the base of SteamOS...
SteamOS builds off arch pretty rarely so unless they plan on ddosing for 6 months this doesnt impact steamOS at all.
Its probably someone who got banned from the community trying to make a statement.
I know (or more honestly guessed so). It was meant to be a joke, hence the tinfoil hat reference ;)
I've heard sometimes arbitrary targets are chosen to demonstrate capabilities. It's marketing.
I had a ddos in 01, took the entire cluster down for a fairly popular website.
Traffic distribution was very wide; everything was on port 80.
All the traffic would come in, smack the front page, then disappear.
Turns out marketing had purchased an ad on MSN which was a hot search engine at the time, we were supposed to be the top link for any search with "school, education, classes, tutoring". MSN accidentally made us the top link for EVERY search term. My T1 and my BGP frame connection were balls to the wall for 3 days.
OBV, this isn't marketing, but they're not a great target. No one's getting any money from it, They don't have any stiff corporate competition.
Would it be possible for an average user like me to host the whole AUR and the whole Arch Wiki to make it available at times like this? I'm already seeding a couple of Arch isos (not pirate lingo).
I just want to help out.
Arch aur mirror might be the searchable term you want to find out.
The AUR is already officially mirrored on GitHub, at least since the last attack (that I heard of).
For the Wiki, I'm not sure if database dumps are provided for people to provide proper mediawiki mirrors. If they're not, you should propose the idea. It's a good one (as long as the dumps themselves are not hosted in one place that can be DDoS-ed itself).
That would be alot of work (and some space) but should be doable.
But just for your personal access to the wiki archwiki-offline and arch-wiki-search already exist (in the AUR).
Why ipv6 only though? Is there something about it that makes it more resilient to DDOS? If a device on the botnet has both ipv4 and ipv6 I don't see how it's mitigated
I just figured the chances of the devices in a botnet being ipv6 is like 5% or less
The botnet's code probably doesn't support IPv6.
Is there something about it that makes it more resilient to DDOS?
While archlinux.org doesn't do this, you can have multiple A and AAAA records which can provide DNS based load balancing, and IPv6 is easier to do that with since you usually get allocated a whole prefix. Of course that only helps to distribute the load, if your internet connection is the bottleneck then it won't help.
It's common practice to "blackhole" targets of DDoS attacks as a defensive measure. Blackholing means that packets coming into the network for a specific IP get discarded which lowers the stress on the network and especially on the receiving server. The server will work as if there was no attack but will only be accessible on non blackholed IPs. This would of course require the IPv6 to not get attacked either.
I'm guessing that's what's happening here.
did Manjaro do this
Some dad is doing this so his son would come out the basement for Christmas and spend time with the family.
All this over Pascal support?!?!