Many Twitter applications have suffered lengthy periods of downtime recently, a situation that has some developers concerned about the company's platform stability.
These developers, who have invested effort and money in building revenue-generating Twitter applications, are hoping Twitter figures out a way to increase the application platform's uptime.
“I am pretty disenchanted with Twitter at the moment,” said Paul Kinlan, creator of Twollo.com, an application that automatically adds contacts to Twitter users' “following” list whenever other users post messages containing certain keywords.
As a result of the extensive downtime, Kinlan had to issue refunds to unhappy clients who pay him a fee to use the more advanced version of Twollo.com, which also has a free edition.
“There was a lot of talk about Twitter being a free service and that we shouldn't complain about it being down, but Twitter actively wants people to build businesses off of Twitter's infrastructure,” Kinlan said in an e-mail interview. “We are the interface to our clients, not Twitter, and we have to actively manage our customers' expectations of Twitter. We lose business when Twitter is down.”
The problems started on Aug. 6, when Twitter and other sites like LiveJournal, Google's Blogger and Facebook were hit by a distributed-denial-of-service (DDoS) attack from a botnet. Twitter was the most affected and collapsed for hours. In order to restore its service it implemented defensive measures that included limiting external applications' access to its platform. Twitter at the time acknowledged it may have “overcompensated” in its defensive efforts.
As a result, some Twitter applications were totally or partially unavailable for several days, as Twitter limited access to its platform API (application programming interface) while weathering the DDoS attacks, which were apparently intended to silence the political commentary from a blogger in the country of Georgia.
Then this past Saturday, Twitter again went down briefly, and a similar scenario ensued, as the company's recovery measures once again affected access to the API and other resources like user authorization processes that external applications need in order to function. It took Twitter until Monday evening to get the application platform working normally again.
Twitter didn't respond to requests for comment, so it's not known what caused the outage on Saturday. It wouldn't be far-fetched to assume it was another DDoS attack, considering that the recovery strategy was similar to the previous one. Also, security companies have reported that malicious hackers have started using Twitter to manage botnets, or networks of compromised computers.
Although Twitter hasn't publicly provided many technical details about the steps it has taken to prevent lengthy platform downtime in the future, suggestions are in no short supply from developers who don't want to see the platform totally or partially unavailable for days every time the site gets hit by a DDoS attack.
“My guess is that they need better application-level filtering capability to maintain quality-of-service, to be able to essentially 'detour' traffic that would result in an impairment to the service,” said Dossy Shiobara, creator of two applications: Twitter Karma, designed to help people better manage their lists of contacts, and Blackbird, a Twitter application for BlackBerry phones.
“Often, the incomplete understanding about DDoS attacks is that it's merely a volume of traffic issue that causes the disruption. While this may be true in some cases, it's not always a matter of volume alone. There may be inefficiencies in a service that an attacker can leverage to cripple a service with reasonably little overall traffic. Purely speculating here, I'm betting that's what happened to Twitter,” he said in an e-mail interview.
Bill Kocik, creator of Ambeur.com, a Web-based Twitter user interface that provides advanced management features, suggests separating the API from the rest of the Twitter application at the network and server levels. “Currently, API calls are directed to Twitter.com, which is also where general browser traffic goes. Had the API been instead served from, for example, api.twitter.com, and were that a separate set of servers, Twitter would likely have been in a much better position to protect the platform from the attack on the service,” Kocik said via e-mail.
A similar suggestion comes from Jim Renkel, creator of Twxlate.com, which provides a Twitter user interface in more than 40 languages, as well as content translation. “Twitter seems to be hosted on one concentrated server farm. If their servers were more distributed, I think they would be less vulnerable to DDOS attacks. That said, it ain’t easy to just go out and distribute an application, so I am not faulting them here,” he said in an e-mail interview.
Beyond what Twitter does or doesn't do on its back-end systems, developers can help their cause by reaching out to the company in times of crisis, said Sean Callahan, cofounder of TweetPhoto.com, a photo-sharing platform.
After the Aug. 6 DDoS attacks, Callahan promptly contacted the Twitter application platform team and got TweetPhoto.com “white-listed” by them, so that it was back up that Friday, instead of Sunday afternoon like most other affected applications, he said.
“The developer needs to be proactive and not so passive, saying, 'It'll be fixed when it's fixed,' and in the interim they're complaining in the discussion forums,” Callahan said in a phone interview.
TweetPhoto.com also was impacted this past weekend, but Callahan feels that Twitter is making progress in learning how to restore its service without as much impact to the application platform.