Arch Linux remains under attack as DDoS enters week 2 - here's a workaround

Sunshine (she/her)@piefed.ca · 24 days ago

Arch Linux remains under attack as DDoS enters week 2 - here's a workaround

DacoTaco@lemmy.world · edit-2 24 days ago

Wanna bet its ai scrappers? Im part of multiple communities who have all been under serious ai scrapper bot ‘attacks’. We are talking millions and millions of requests in minutes by the bots. Its complete bonkers what those fucking bots are doing

CubitOom@infosec.pub · 24 days ago

In the meantime, if you’re an Arch user and if archlinux.org is unavailable, you should use the mirrors already in your pacman-mirrorlist package instead of relying on the reflector tool.

I’m not too knowledgeable here, but why couldn’t you use the reflector to generate a mirrorlist?

I normally do something like

sudo reflector --verbose -c CA --protocol https --sort rate --latest 20 --download-timeout 5 --threads 5 --save /etc/pacman.d/mirrorlist

Which my understanding is that it would test all the mirrors in CA (Canada) and sort the fastest ones and then overwrite the mirrorlist.

CubitOom@infosec.pub · edit-2 24 days ago

Oh wait, I think the point is that if you are trying to visit archlinux.org, then you can use the URLs in the mirrorlist instead. That part about the reflector tool threw me.

Guess I’m lucky, I haven’t had any issues downloading ISOs or using the AUR. This is the first I’m hearing about the DDOS.

ISO@lemmy.zip · 24 days ago

reflector uses https://archlinux.org/mirrors/status/json/ to get mirror status info, and caches it under ~/.cache/Reflector/. So as long as that end-point works, reflector should work.

I just grabbed a copy and pasted it at http://0x0.st/Ki3Y.json.

Anyone can grab that JSON data and use file:// URLs so they are never out. e.g.

curl -L https://archlinux.org/mirrors/status/json/ > /tmp/mirror_status.json
# or if down, use pasted json
curl -L http://0x0.st/Ki3Y.json > /tmp/mirror_status.json
# and then
reflector --url file:///tmp/mirror_status.json ...

But, as you noted, this has been mostly a nothing-burger from a user perspective anyway. Other than the homepage being unavailable on occasion, everything else has been mostly available just fine as you can see from https://status.archlinux.org/.

I didn’t notice https://gitlab.archlinux.org/ going down either.

BTW, and as a general rule of thumb, NEVER take specific technical advice from these editors. They don’t actually know much, and this is me trying to be nice.

Take for example:

For AUR disruptions, it’s a bit of a pain if you’re not a regular git user, but you cloned packages directly from the GitHub Arch Linux mirror. To do this, use the command:

See that link ;) At least he got the command below it correctly, somehow.

tyler@programming.dev · 24 days ago

I’ve been having trouble for days downloading packages. Thought it was on my end.

ISO@lemmy.zip · 24 days ago

Thought it was on my end.

Change your mirror!

I’ve been using the repos relatively frequently, and never noticed anything.

I also just tested my mirror of choice with a random big package.

https://mirror.dogado.de/archlinux/extra/os/x86_64/libreoffice-still-24.8.7-5-x86_64.pkg.tar.zst

All good!

Victor@lemmy.world · 24 days ago

I’ve not had any issues with regular pacman, I guess because I’m using a very remote mirror.

But the AUR issues have affected me many times now. 😐