Twitter is Down. What's a "Distributed Denial of Service Attack"?

You may have heard that Twitter, the popular social message-sharing service, was down for several hours this morning as it fell victim to a DDoS attack, or Distributed Denial of Service attack. Let's dig into what that means, from a technical perspective.

Denial of Service: It's Like Dialing the Same Phone Number Over and Over

Let's start with the basics. The simple concept behind a "Denial of Service" attack (note we're not talking distributed yet) is to overuse the service in question (for example, Twitter) to the point where it becomes unavailable to others. Think of this metaphor: if I call your home telephone over and over again, and you lack call waiting, other callers can't get through. As long as I keep calling, I'm denying service to others, thus implementing a "Denial of Service" (or DoS) attack. Now, in practice this is close to impossible with an internet service like Twitter, because, not to stretch the metaphor too far, they have a lot of phone lines. There's no way one computer could use the Twitter service so heavily that it would affect other users.

There's also the little matter that a single-line Denial of Service attack is pretty easy to defend against: you just block the offending computer (or caller, in our analogy). But things are about to get more complicated.

Let's Get Distributed

So if a standard Denial of Service attack isn't going to shut down the site, let's imagine what would happen if millions of computers began to pound on Twitter.

If a very large number of computers started hitting the service repeatedly, it could get to the point where the service became unavailable to others. When you distribute the attack among a number of attacking computers, that's called a Distributed Denial of Service Attack. That's what's happening right now. Most distributed attacks happen from computers on different networks all around the world, which makes it harder to isolate and block them. They also may look, to the server, much like normal traffic -- so it's hard to know what to block and what to let through.

But Wait...Don't Millions of People Use Twitter Every Day Anyway?

Well, yes. Twitter is designed for millions of people to constantly hit its servers, posting updates, reading others' updates, and so on. So how can it collapse under the strain of a DDoS? Well, the short answer is that a DDoS provides way more traffic than Twitter usually receives, and it's likely to be targeted on the most resource-intensive operations on the site (for example, the computers performing the attack may be constantly trying to create new accounts, reset passwords, download long lists of tweets, post new tweets over and over, or other operations that require the server to do a bit of real work).

A DDoS attack requires a lot of computers to be effective. Generally these days attackers use "botnets," or virtual armies of computers controlled by a virus, that are then centrally commanded to do something nasty -- like all hit Twitter at once. The owners of the computers generally don't even know that their computers are part of the botnet, since the virus operates invisibly in the background. The biggest botnets may well contain millions of computers, although it's hard to measure these things because the computers' owners don't know they're infected.

It's impossible to tell at this early stage who is behind the DDoS -- whether it's a prankster, an organized crime ring (these things do happen -- malicious groups have been known to threaten to DDoS a major site and hold off only when paid protection money), or even a politically-motivated group. (Can you think of an international political cause that has been linked to Twitter lately? Exactly.)

What Does Twitter Say About the Attack?

Twitter's status page contains this information (as of 10am Pacific, Thursday, August 6, 2009):

Ongoing denial-of-service attack We are defending against a denial-of-service attack, and will update status again shortly. Update: the site is back up, but we are continuing to defend against and recover from this attack. Update (9:46a): As we recover, users will experience some longer load times and slowness. This includes timeouts to API clients. We're working to get back to 100% as quickly as we can.

As I type this, Twitter appears to be bouncing between "totally normal" and "bizarrely broken." Let's hope they're back and tweeting as soon as possible! For more on DDoS attacks, check out Wikipedia's Denial-of-service attack page or Understanding and surviving DDoS attacks.

You can also follow me on Twitter for more technical information, jokes, and Portland updates. Assuming Twitter is up.