Twitter continues to suffer aftershocks of the Aug. 6 Distributed Denial-of-Service (DDoS) attack. The site is still experiencing periods of latency and downtime.
Internetpulse.net, a Web site for monitoring performance at service provider interconnects that is run by Keynote Systems, reported as much as 50 percent packet loss Wednesday morning on NTT's interconnect with Level3, and 10 percent packet loss on its interconnect with Cogent. Keynote considers it to be a "warning level" when packet loss reaches 2 percent.
Performance at an interconnect, such as the one between NTT and Level3, can affect millions of people and businesses at any given time.
The problems began occurring at about the same time the social networking site Twitter suffered several brief outages -- just days after the service reported being the victim of DDoS attacks.
It's hard to say definitively whether ongoing attacks against Twitter are contributing to this latency seen on NTT's backbone. It's easy to see though, that security-wise Twitter is easily compromised. What are the factors contributing to that?
There are several. The main one obviously is that Twitter's network simply does not have the defenses in place to mitigate a massive DDoS attack. Most traditional security products can fend off DoS attacks. These products often depend on firewall or IPS/IDS technologies that really aren't equipped to handle the massive bombardment of packets that happens in a DDoS attack. Furthermore, these products tend to rely on setting thresholds and use deep packet inspection to determine if a packet is part of an attack or not.
One product that the CRN Test Center reviewed recently is a security appliance from RioRey. RioRey's RE510 appliance is built for one sole purpose: to thwart DDoS attacks. RioRey's security appliance is inline and uses algorithms to detect the differences between human-generated traffic and DDoS coming from a botnet. The RioRey system looks at all TCP/IP traffic and is not dependant on thresholds or using deep packet inspection to differentiate between "good" and "bad" packets.
So apparently, Twitter is lacking technology that could prevent these types of attacks. What about Twitter's ISP, NTT? Some are criticizing Twitter for just relying on a single ISP and not having a better plan for redundancy by being able to offset network traffic to another ISP in times of outage and system failure.
Many are wondering why NTT, as Twitter's ISP, did not aid in identifying and remediating this attack faster. In an interview with The Los Angeles Times, the CIO of NTT defended the company against some of the critics. He points out that NTT does have a mechanism in place to defend against DDoS, but that it is a "kicked-on, retroactive system."
In other words, the medicine gets administered after the disease takes hold.
Laura Chappell, founder of the Protocol Analysis Institute, did her own network traffic analysis of Twitter. While she could not attribute ongoing latency problems as proof of an ongoing DDoS attack, she did gather that "collective bandwidth requirement and the processing required" for the enormous number of packets that have to be serviced to post tweets and logins could tax resources for Twitter's ISP. Each login alone, Chappell explained, takes about 5,000 bytes. You can find out more about her network traffic analysis methodology by accessing her online seminars available in recorded format at chappellseminars.com
NTT had this statement to make to the CRN Test Center:
"In regards to your inquiry, at this time NTT America has the following response: Twitter's status blog posting at http://status.twitter.com/ is the best source and has the most updated information for the attack on their service. We'd recommend referring to their status blog regarding this specific incident. NTT America works with the customer to mitigate the effects of this type of incident but cannot comment before finalizing such operational initiatives."
The bottom line: A lack of appropriate security defenses and a solid contingency plan on Twitter's network, plus a defensive, rather than pro-active security mechanism on the part of Twitter's ISP, NTT, added to the fact that Twitter and NTT are already daunted by the sheer bandwidth of daily Twitter users, and you have the perfect storm in creating a fragile platform vulnerable to attack and ongoing latency issues.
Ed Moltzen contributed to this article.
