Twitter Hit by Another Denial-of-Service Attack

For the second time in two weeks, Twitter on Tuesday became the victim of a denial-of-service (DoS) attack that briefly interrupted service.

Users first noticed brief connections problems early in the day, with glitches especially impacting those using third-party applications like TweetDeck.

Shortly before noon Pacific time, Twitter updated its status page informing subscribers that the company was “responding to a site outage and will update as we learn more.”

An update after noon said the site was back up and that the company was analyzing traffic to determine the culprit. Alex Payne, Twitter’s platform lead, confirmed on the company’s API forum that a DoS attack had been responsible for the outage.

Twitter did not respond to requests for comment by press time.

It’s unclear whether today’s downtime was related to Thursday’s massive DoS attack that knocked Twitter offline for hours and caused sluggishness or downtime at other sites, including Facebook and LiveJournal.

Facebook has said that a single blogger had been the intended target of that attack, with sites on which he had a profile ending up in the blast radius.

The Aug. 6 attack knocked Twitter offline for three hours and 17 minutes, according to its uptime report. By contrast, today only took the service down for 32 minutes.

Hardening against attacks

In a denial of service attack, a site is overwhelmed with requests — far more than its servers can handle. It’s the 21st-century equivalent of crank calling someone to keep their phone line busy. It’s also very hard to defend against such an attack because the incoming requests look like normal Web application requests.

“It’s real hard to mitigate,” said Dave Marcus, director of security research and communications at security firm McAfee. “Certainly there are things you can do, like load balancing — that helps well against a DoS attack. It’s certainly one of the more difficult things to protect against.”

It’s almost impossible for one person to effectively issue a denial of service online. It requires a botnet — a network of computers that have been compromised with a bot program surreptitiously hidden on their computers — to issue such an attack.

The news also marks the latest bout of downtime to hit Twitter. Since its inception, the microblogging service has struggled with persistent problems in staying up and running. It hasn’t helped that the site’s massive popularity has also made it a frequent target for attackers.

“At the end of the day, it comes down to availability and how many users you got,” Marcus added. “Look at how many people have jumped on the use of Twitter. They are certainly one of the most-trafficked apps on the Internet. You wonder if they’ve become a victim of their own success.”

As a result, services like Twitter need to be architected for high availability, with lots of redundancy and firewall security measures to stop denial-of-service attacks. They also need large caching networks like Akamai that can handle traffic.

Twitter uses NTT America as its Web host, although many other details about its infrastructure remain closely guarded secrets. While it appears to be an easy target, Marcus said that there aren’t a lot of attacks done for laughs.

“Considering Twitter has had a history of availability issues and they’ve been DoSed a few times, I don’t want to say it’s easier than most, but it doesn’t seem as complicated to make them hiccup,” he said. “It calls into question how they are architected.”

At the same time, Marcus said he’s amazed at how netizens seem to freak out when Twitter and Facebook go down for a short period.

“It’s a fascinating psychological drama unfolding. Twitter or Facebook go down and people lose their minds,” Marcus said. “If availability goes away, I’ll go find something else to do, like read a book or something.”