Where Did All the Tweets Go?

At roughly 9:00am (EDT) this morning, the Twitisphere fell silent (or at least significantly fewer twitters).

And though you could not follow the outage via tweets, Twitter’s blog announced the popular site was under DDoS.

The below graph shows Observatory data from 55 providers around the world to Twitter’s two NTT hosted addresses blocks:,

From the data, Twitter traffic declined abruptly around 9am EDT this morning.

We generally don’t see a lot of data (i.e. it takes thousands of tweets to match the bandwidth of a single video), but 55 ISPs in the Internet Observatory were exchanging roughly 200 Mbps with Twitter before the DDoS. Then traffic dropped to a low of 60 Mbps around 10:40am and began climbing after that. As of 1pm EDT, Twitter traffic was still down by 50% at 150 Mbps (normally we see close to 300 Mbps for this time of day).

From DNS, it looks like Twitter has moved some of their infrastructure to different address blocks as of 2pm EDT.

19 Responses to “Where Did All the Tweets Go?”

August 06, 2009 at 6:26 pm, Fenixnordic Group » Blog Archive » Twitter, Facebook Attacks No Surprise to Security Experts said:

[…] largest monitoring service, saw traffic to Twitter drop abruptly at 9 a.m. Eastern and saw Twitter move portions of its services to different neighborhoods on the network around 2 […]

August 06, 2009 at 3:39 pm, Twitter Overwhelmed by Web Attack - Bits Blog - NYTimes.com said:

[…] | 12:39 p.m. A chart by Arbor Networks showing traffic to Twtter Thursday […]

August 06, 2009 at 3:44 pm, Additional DDoS info: « Ppl H8 Me On the Internet said:

[…] Here’s an interesting article from Arbor Networks about the Twitter DDoS: Where Did All the Tweets Go? by Craig Labovitz […]

August 06, 2009 at 4:42 pm, Apparent DDOS attacks on twitter, facebook and livejournal said:

[…] 16:45: Here’s a graph from Arbor Networks showing a dramatic drop in traffic this […]

August 06, 2009 at 9:51 pm, Twitter Restores Service And Tries to Regroup After Attack Last Night | YUdez said:

[…] | 3:38 p.m. A chart by Arbor Networks showing traffic to Twitter Thursday […]

August 06, 2009 at 6:39 pm, Captain Democracy said:

Go to http://www.CaptainDemocracy.wordpress.com and read about where the attack came from, “Tehran Iran.
“Captain Democracy” North Beach, San Francisco Ca.

August 06, 2009 at 9:07 pm, Operation “Silence Cyxymu” Crushes Twitter, Facebook, LiveJournal said:

[…] was only mildly affected. Here is a snapshot of the dropoff in traffic to Twitter according to Arbor Networks: The below graph shows Observatory data from 55 providers around the world to Twitter’s two NTT […]

August 07, 2009 at 4:54 am, Jeff said:


Can you clarify why traffic would go down under DDoS? Is this graph measuring only legitimate traffic, measuring a host name that wasn’t under attack, or does it imply that the attacks originated from networks not included in the Observatory?

August 07, 2009 at 10:45 am, Silence Cyxymu - Bits & Pieces said:

[…] is behind this attack, they had significant bandwidth available. Our best guess is that these attacks were done by nationalistic Russian hackers who […]

August 07, 2009 at 9:08 am, Craig Labovitz said:

The short answer is I don’t know the full details of this particular attack so I can only speculate.

But in general, attackers (or at least attack tools) have grown smarter over time.
Instead of “brute force” flooding attacks (i.e. overwhelming a router interface with sheer volume of traffic), many attacks today are smaller and much more targeted.

Examples of low bandwidth DDoS include the decade old TCP Syn attack (usually high pps but comparatively low bps) and more recently, application / service focused attacks. This latter category includes attackers using Bots to bring down a service by exercising expensive SQL queries, Web 2.0 API calls, SIP initiations, attacking DNS etc.

August 07, 2009 at 9:50 am, Gurdip said:

Thanks for the explanation Craig. Any traffic details on other affected services such as Facebook (who apparently were also attacked)?

August 07, 2009 at 10:35 am, Faisal Khan said:


Any idea on the type of an attack? Or what was the size of the incoming attack? 200-300Mbps would have been very easy for the (alleged) Russian bot-net operators to bring down no? Was this a bandwidth saturation attack or an attack that overwhelmed the servers/routers?

Faisal Khan.

August 07, 2009 at 1:42 pm, Craig Labovitz said:

At this point, I believe several of the site owners and their upstream ISPs have a better picture of what happened during the attacks yesterday. But it is up to the site owners to release any of these details.

August 07, 2009 at 11:44 am, domoaringatoo said:

Speculation on F-Secure


was that this DDoS orginated from Russian nationalists in order to silence a Georgian blogger. Anyone with additional information that can shore up or refute this theory?

August 07, 2009 at 1:36 pm, Kristofferst said:

I assume this is enough data to rule out Bill Woodcock’s explanation in The New York Times:
“Rather, he said, at about 10:30 a.m. E.S.T., millions of people worldwide received spam e-mail messages containing links to Twitter and other sites. When recipients clicked on the links, those sites were overwhelmed with requests to access their servers. “It’s a vast increase in traffic that creates the denial of service,” he said. ”

August 07, 2009 at 6:19 pm, Lots of Women on Facebook, Few Kids on Twitter, no Marines Anywhere | eGov Digest said:

[…] Chart from Arbor Networks […]

August 16, 2009 at 7:20 am, Twitter, Facebook Fend Off Dos Attacks - Lets Be Secure | Lets Be Secure said:

[…] service Twitter fell precipitously, reaching a bandwidth of 60 Mbps by 10:40 a.m. ET, according to Arbor Networks, a networking services firm. Twitter had reached nearly 200 Mbps prior to the […]

August 20, 2009 at 7:31 pm, Jeremie said:

Hello Craig,

Thank you for your very interesting post (and the added information provided in your comment replies)…

I’m curious as to the source of the data used to plot the graph. Is the Observatory a publically available source? And if so, how can I access it?

Best regards…

August 20, 2009 at 9:04 pm, Jeremie said:

Do you happen to have a graph of the number of flows for the same time period and IP blocks?

Comments are closed.