Likely because it's more effective, if you really want to kill the site.
Let's say that you find a "/manage/viewall" page which takes some processing to load (more so than the other pages), is never cached, and can't be protected by cloudflare/capcha/other because it must stay open for CLI tools.
First, it's easy to overload the site by throwing a couple of expensive requests to a few vulnerable services, rather than to have a botnet flooding 100 Gb/s of traffic to random customer instances. (note: the two strategies are not mutually exclusive).
Second, by attacking these services, they impact Linode itself and all customers using it. Someone is really trying to hurt Linode by doing that.
The lesson here: There seem to be some naughty attackers who are putting a lot of effort to put Linode down recently... and they seem to succeed to some extent. That really is a bad position for Linode :(
I don't know where, but as to the why: control planes usually have fairly low traffic (create an instance isn't that frequent per customer) so they'd be easier to swamp if you can get it to consider your traffic. Proper load shedding and rate limiting is kind of hard (you have to decide what you want to happen to well intentioned folks), but anyway that's probably why.
Maybe this attack is part of a plan to get access to the control panel of customers. That would be a way to gain access to some relatively high profile sites.
They are ancient Coldfusion implementations that have a dire security track record, so I would assume that they are the weakest link in the chain. Linode said they were rewriting them a while back, but I don't know what came of that because nothing seems to have changed in years.
Likely because it's more effective, if you really want to kill the site.
Let's say that you find a "/manage/viewall" page which takes some processing to load (more so than the other pages), is never cached, and can't be protected by cloudflare/capcha/other because it must stay open for CLI tools.
First, it's easy to overload the site by throwing a couple of expensive requests to a few vulnerable services, rather than to have a botnet flooding 100 Gb/s of traffic to random customer instances. (note: the two strategies are not mutually exclusive).
Second, by attacking these services, they impact Linode itself and all customers using it. Someone is really trying to hurt Linode by doing that.
The lesson here: There seem to be some naughty attackers who are putting a lot of effort to put Linode down recently... and they seem to succeed to some extent. That really is a bad position for Linode :(