Well, you know. Twitter has put themselves right in the middle of a national uprising in Iran and so are facilitators or perhaps enablers of conflict. I don't want to get moralistic or anything like that, but it should be expected that if you are helping one one side of a conflict that could potentially errupt into a full on civil war, that you are not immune to attack yourself.
I'm not saying this DOS or DDOS is related to the Iran issue, but I am saying that twitter has become a weapon of sorts, a communication enabler that benefits one side of a conflict more than another, so an attack like this is inevitable, even if this particular one isn't coming from the Iranian incumbents.
The timing is all wrong for that analysis to make sense. It's much more likely to be a script kiddie trying to build "street cred." Or an extortion attempt ("pay us, or we take your site down").
If I were an attacker, though, I'd attack for a bit, then back off, then attack, then back off, and so on. Intermittent disruption is far more annoying for the users than a sustained attack.
I'm curious to know the scale of this attack. It doesn't appear to be an exploit-based DDOS, just a raw flood of traffic. I don't know how built out they are in terms of upfront hardware, but ideally it should be 10G to the load balancers. And protecting that level of traffic isn't exceptionally difficult. Pop in 4 Cisco Anomaly Guard Modules and you've got 10G of DDOS coverage. And given Twitter's visibility and potential for angering folks indirectly, I think investing in that kind of hardware would be very wise.
The worst DDOS attacks aren't going to melt your load balancers; they're just going to saturate your connection.
Cisco's anomaly products are designed for service providers, so that they can build "scrubbing centers" in their POPs. Trying to block DDOS traffic at the target is playing to lose.
I wonder if the source of the attack might be related to the massive DDOS that took out SoftLayer's DNS servers last Tuesday. A massive volume of mal-formed UDP packets (~500k/second) from a very large number of IPs managed to bring down a distributed anycast based DNS system for approximately 18 hours.
Seems odd to have two huge scale attacks launched within 10 days if they aren't somehow related (testing or proving out a botnet, etc...).
I'm guessing it was a DDOS due to the amount of time the site was down - if it was coming from a single IP or single IP range they would likely have been able to block it off a lot faster.
The traceroute in the article suggests a DDOS, because the network gets progressively slower through several stages in the route - implying that the attacks are coming from multiple locations.
that illustration cracked me up. i don't use twitter but i'm guessing that it's better than what they have on their app's error 500 message. maybe they should buy it.
Their typical error image is a whale carried by birds. This image is funny because it's bird carried by whales. The image is a little more lively as well, with gradients and such.
I'm not saying this DOS or DDOS is related to the Iran issue, but I am saying that twitter has become a weapon of sorts, a communication enabler that benefits one side of a conflict more than another, so an attack like this is inevitable, even if this particular one isn't coming from the Iranian incumbents.