Hi Borna/All, I understand, and it's absolutely fine for Cloudflare Spectrum. However, my next question is whether the Arch Linux Team has an allocated budget for this solution. If no budget is available, I recommend setting up a free-tier alternative such as *Fail2Ban*. This tool can help monitor known attack vectors using publicly available threat intelligence. As part of our IOC (Indicators of Compromise) strategy, we should proactively block public IPs identified through these sources within the Fail2Ban configuration. Without implementing a mitigation solution, these DDoS attacks are likely to persist. Once such details are exposed publicly, it becomes extremely difficult to prevent further exploitation unless appropriate controls are in place within the infrastructure. Please let me know your thoughts Thanks Shresth Paul On Tue, Oct 7, 2025 at 7:04 PM Borna Punda <borna@bornapunda.com> wrote:

Greetings,

Great point; however, this applies only to HTTP applications (which the AUR isn't exclusively; it's also available over SSH). We would need something like Cloudflare Spectrum, which isn't a part of Galileo as far as I am aware.

Best regards, Borna Punda

Oct 7, 2025, 13:53 by shresthpaul133@gmail.com:

...

Hello Team,

I hope you're doing well. So recently we noticed that the ARCH linux is facing a lot of DDOS attacks. What if we were to use Project Galileo to avoid these DDOS? This is completely free of cost by CloudFlare.

Project Galileo | Cloudflare <https://www.cloudflare.com/galileo/>

Thanks Shresth Paul Website: - > Shresth Paul | Cybersecurity Professional < https://secbyshresth.github.io/Portfolio/>

It depends on the exact attack, as this determines the defense method. Generally speaking, if it was: - "brute force" on the service, then fail2ban + a harder firewall will be enough to deal with it – a good admin will handle it without any problems. - SYN flood attack – Hetzner claims it automatically blocks traffic above 500 kpps. If that's true, great, but if Hetzner doesn't block it, the only solution is to change the hosting. - SYN flood attack <500 kpps – a good admin can defend against such an attack. Could you clarify which version of the attack you're referring to? Regarding Cloudflare Spectrum, it will help, but it's a very expensive service, not for a non-profit organization. There's nothing free on Cloudflare that can block traffic on port 22, so before you suggest anything, read up on it. There is no such thing as Free DDoS protection for git. On 7.10.2025 18:07, lukaro wrote:

I guess the Arch Linux team already uses blocking mechanisms like fail2ban. If the DDoS was that easy to block, we probably wouldn't even notice it. It's probably volumetric DDoS that needs to be blocked upstream or something. And I hope the AUR does not need to rely on Clownflare for that, hopefully they find another solution / provider. But I trust they do their best to resolve these issues as fast as possible.

Greetings, We can be arguing about how to solve a theoretical attack all day, but there's nothing we can do until we know the specifics. It would be helpful, and practically the only way to continue this discussion in a meaningful way, if an admin shared the specifics of the attacks. Until then, not much can be done. Best regards, Borna Punda

Greetings, I agree; however, my original point still stands. Without that information we can speculate at best. I'm not saying they should disclose it, but simply that we can't do anything without it. Best regards, Borna Punda Oct 7, 2025, 20:14 by hi@josie.lol:

On 10/7/25 7:57 PM, Borna Punda wrote:

...

if an admin shared the specifics of the attacks

I think sharing details would not be in the interest of security

On 10/7/25 11:04 PM, shresth paul wrote:

Hi Guys,

It’s okay, I understand the situation. Let me see what I can do from my end. I’m sure I can do something around this.

But, before I do anything, please let me know the domain and port where this is getting affected. Is it just aur.archlinux.org on port 22? Or is there something else as well?

I wish you luck! I wanted to provide an updated data point. AUR had been reachable earlier today without much delay. Since the 6.17 hit core, we needed to do some work with the nvidia-390xx-utils patch tonight. Connections to AUR timeout or fail, and then sometimes it will connect after 45-60 seconds (just right before whatever timeout the browser uses to report a failed connection) I had several failure reaching https://aur.archlinux.org/packages/nvidia-390xx-utils and then it took two attempts approximately (first failed with timeout) and then second succeeded after about 45 seconds or so to update https://aur.archlinux.org/packages/nvidia-390xx-utils#comment-1042443 It looks like the DDOS attack is still ongoing to some degree. I guess this is why we just can't have nice things on the Internet anymore. Good luck to all devops in your mitigation attempts, I know this is frustrating for everyone, so we will just be patient in the mean-time. (of course it just had to hit at the kernel minor version update...) -- David C. Rankin, J.D.,P.E.