On April 30th, around 6 PM UK time, Canonical—the company behind Ubuntu—faced a sustained and cross-border attack that took down several of its key websites and services. Users trying to access the Ubuntu main site, the Snap Store, or Launchpad encountered errors and downtime. However, the attack was not all-encompassing; critical infrastructure like Ubuntu's APT package repositories and ISO downloads remained operational due to their distributed design. This Q&A breaks down what happened, what was affected, and how Canonical responded. For a quick overview, jump to the first question or see which services stayed online.

What exactly happened to Canonical's services on April 30?

Canonical reported that its websites and services were hit by a “sustained, cross-border” attack beginning around 6 PM UK time on April 30. The company acknowledged the incident and stated it was actively working to address the disruption. The attack specifically targeted the public-facing web properties of Canonical, including the main Ubuntu website, the Snap Store (snapcraft.io), and the Launchpad development platform. While the exact attack vector wasn't detailed, the term “cross-border” suggests it originated from multiple geographic locations, typical of a distributed denial-of-service (DDoS) campaign aimed at overwhelming servers with traffic.

Which Canonical websites and services were knocked offline?

The primary casualties of the attack were the Ubuntu website (ubuntu.com), the Snap Store (where Snap packages are hosted and distributed), and Launchpad (Canonical's platform for open-source development and bug tracking). Users trying to visit any of these sites experienced connectivity errors or timeouts. Additionally, the main archive.ubuntu.com repository—used for APT package downloads—went offline for many users. However, the attack did not affect all infrastructure equally, as Canonical had already deployed redundancy measures for some services.

When did the attack start and how long did it last?

The attack commenced around 6 PM UK time on April 30. Canonical’s initial statement on the outage described it as “sustained,” implying it continued for a prolonged period. While the company did not publish an exact end time, users reported intermittent connectivity over several hours as Canonical worked to mitigate the traffic flood. The duration emphasized the severity of the incident, with Canonical engineers likely implementing rate limiting, filtering, and other DDoS protections to restore normal service gradually.

Were any Ubuntu services still accessible during the attack? How?

Yes, several critical services remained online. The APT package repositories (used by apt-get update and similar commands) were largely unaffected because they are distributed across multiple mirrored servers in different countries and regions. While the main archive.ubuntu.com was down, the mirror network allowed users to pull packages from alternative URLs. Additionally, Ubuntu ISO images for fresh installations were still downloadable, likely due to hosting on separate infrastructure or CDNs. This resilience highlights the importance of Canonical’s distributed architecture for core OS updates and distribution.

What did Canonical say about the attack and its response?

Canonical issued a public statement acknowledging the “sustained, cross-border” attack and assured users that its teams were “working to address” the situation. The company promised to provide more details as they became available, but no further updates were released in the immediate aftermath. The tone of the statement was professional and focused on transparency, urging patience while engineers mitigated the attack. Later reports indicated that Canonical likely implemented traffic filtering and scaling measures to restore access. The incident underscores the ongoing threat of DDoS attacks even for major open-source organizations.

How did the outage affect end users and developers?

End users found themselves unable to browse the Ubuntu website for documentation, downloads, or support. Snap Store users could not search for or install new Snap packages via the web interface or command line commands like snap find (if relying on the primary store). Developers working with Launchpad faced delays in accessing project repositories, tracking bugs, or managing builds. However, existing Snap installations continued to work, and APT updates via mirrors proceeded (though with potential timeouts for archive.ubuntu.com). The attack created inconvenience but did not compromise system security or lose user data.

What can other organizations learn from this incident?

The attack on Canonical demonstrates the importance of redundant, geographically distributed infrastructure. Because APT repositories and ISO downloads were mirrored, they remained available even when primary servers were overwhelmed. Organizations should implement similar measures for critical services: use CDNs, multiple data centers, and fallback servers. Additionally, having a clear communication plan (like Canonical’s prompt public acknowledgment) helps manage user expectations. Proactive DDoS protection, such as traffic scrubbing and rate limiting, is also essential. This incident serves as a case study in balancing centralized convenience with resilient architecture.