BGP errors are to blame for Monday’s Twitter outage, not DDoS attacks

Early Monday morning, for about thirty minutes, Twitter went dark. Almost immediately, once service was returned, people started speculating about a massive attack.

It’s understandable, because to most the outage felt similar to the DDoS attack in October. However, Monday’s outage wasn’t anything malicious, by all accounts it was a technical error caused by misconfigured BGP routes.

If you’re not familiar, BGP – or Border Gateway Protocol – helps direct web traffic. This is an over-simplified explanation, but BGP is why the internet is global and not local. Thing is, BGP isn’t regulated, so there is no single authority responsible for its management and maintenance. BGP is built on trust, so when mistakes happen – parts of the internet can go dark.

The Washington Post published a solid article on BGP and how it came into existence last summer, it’s worth reading if you’re not familiar.

A well-known example of BGP errors causing parts of the web to drop comes from 2008, when Pakistan attempted to block YouTube.

Pakistan Telecom made mistakes when they configured BGP on their routers, which resulted in traffic to YouTube worldwide being sent to their servers, causing a blackout for about two hours.

Incidents like this are called BGP Hijacking, and most examples are honest mistakes. However, there have been a few examples of intentional BGP Hijacking, including incidents that were directly tied to a crime.

The big difference between October’s DDoS attack and Monday’s outage centers on how Twitter was being accessed. Both outages had the same effect (no one could access Twitter), but the root cause is different.

During October’s outage, the route between a user’s computer and Twitter.com was flooded with so much traffic, that DNS servers (the systems that coordinate how your computer reaches a given website) couldn’t handle it all.

DNS is a critical part of how the internet works. During October’s attack, these servers collapsed under the massive volume of traffic that was being directed towards them, ultimately preventing users from accessing their Twitter feeds.

As it turns out, the flood of traffic hitting these DNS servers was generated by a botnet using compromised IP cameras and other consumer devices you may have installed in your household, otherwise known as the Internet-of-Things (IoT).

Early Monday morning, an engineer somewhere likely re-configured a router and accidentally removed the path to Twitter.com (AS13414) entirely. For some people in Japan, parts of Europe, and the United States, it was as if the social media service never existed.

You can watch the routes change and disappear in this snapshot on BGPStream. A more visual example of the outage is available on TurboBytes. This is a test during the outage, and this is a test long after service had returned.

In a status update, Twitter says engineers are investigating the outage, but Salted Hash has reached out to the company for more information.

On Monday, shortly before the Twitter outage, WikiLeaks reported that they were being hit with a DDoS attack, suggesting the incident was related to their latest release of Democratic emails. This report is why many immediately speculated the outage was due to DDoS, which given the incident in October, is understandable.

A group that calls themselves New World Hackers claimed credit for Monday’s outage, and said they’d show proof to any reporter who requested it. The group claims that the outage was DDoS related. So far, after two requests by this reporter, they’ve failed to deliver.

A tip of the hat goes to Attrition for helping with some details, and reminding Salted Hash about the Pakistan incident.