Thanks for the update and good luck!
Steve
On Aug 7, 11:20 pm, Chad Etzel c...@twitter.com wrote:
Hello all,
Here is the state of things as we know them:
- The DDoS attack is still ongoing, and the intensity has not
decreased at all. Because of this, interaction with the site and with
On Aug 7, 8:20 pm, Chad Etzel c...@twitter.com wrote:
Here is the state of things as we know them:
- The DDoS attack is still ongoing, and the intensity has not
decreased at all
Has anyone had a close enough look at the botnet infection to deduce
the command channel traffic? For better
Thank you for all your work. I know things are really bad and that
you are all working on it every minute. We will hang in with you!!
On Aug 7, 10:20 pm, Chad Etzel c...@twitter.com wrote:
Hello all,
Here is the state of things as we know them:
- The DDoS attack is still ongoing, and the
Excellent our client now supports the 302's :)
On Aug 8, 7:37 am, Chad Etzel c...@twitter.com wrote:
You may have to follow redirects more than once *wink wink nudge nudge*
with curl you can add --location flag. There's a good bit of info in
the man page as well.
If using curl with PHP,
I still can't get mobile safari to oAuth, some people obviously are as
I can see the number of users occassionally go up in the oAuth clients
page
On Aug 8, 4:08 am, Chris Corriveau chris.corriv...@gmail.com wrote:
Hi Mike what version of FF are you running? I'mable to use 3.5 now,
but
My curl stuff was working fine, but not it appears to have been
limited again. Sorry but this is getting s frustrating. 3 days
later and things still aren't working
On Aug 8, 1:13 am, Chris Corriveau chris.corriv...@gmail.com wrote:
Thank you Chad. Details is really what we want and just
You can use the Sign in with Twitter process without having that setting
checked in the application page. Just wait until the DDOS issues are over to
update it.
Abraham
2009/8/7 adamsinger adamsi...@gmail.com
I'm trying to enable Use Twitter for login, but whenever I check the
box and click
On Fri, 7 Aug 2009 11:05:32 -0700
Ryan Sarver rsar...@twitter.com wrote:
I wanted to send everyone an update to let you know what has been
happening, the known issues, some suggestions on how to resolve them
and some idea of how to move forward.
This was really appreciated. When the dust
I am not yet sure whether this is related, but over the last 24 hours
we have had complaints from customers who cannot themselves update
their profile image after we had unsuccessfully tried to overlay their
image.
The affected accounts are:
legs501
dodgyscouse
ava3leigh
I do not see anything
Thank you sincerely for the update. Good luck, and we're behind you
100%.
Richard
On Aug 8, 4:20 am, Chad Etzel c...@twitter.com wrote:
Hello all,
Here is the state of things as we know them:
- The DDoS attack is still ongoing, and the intensity has not
decreased at all. Because of this,
I haven't been able to login for the past few days either.
Luckily using Firefox I was still logged in through a session so this
is fine and apps like TweetDeck for iPhone seem to work (HTTP Auth API
must have no problems logging in)
I can not login through the twitter frontpage or through
Oh, nice. I was unable to get into my client over the last few days, but
followed the suggestion of clearing your cookies in Safari and it works fine
now. Thanks
On Sat, Aug 8, 2009 at 2:15 AM, Rich rhyl...@gmail.com wrote:
I still can't get mobile safari to oAuth, some people obviously are
I've noticed a similar issue. I was able to login to my OAuth-enabled
app easily with Safari but had to manually clear my cookies in FireFox
before it worked.
-mike
On Aug 8, 8:25 am, Derek Gathright drg...@gmail.com wrote:
Oh, nice. I was unable to get into my client over the last few days,
My app is still experiencing OAuth issues.
I've cleared all cookies, and am on FF 3.5.2
Also, my app is no longer able to send out tweets.
How can we fix this?
Since just setting CURLOPT_FOLLOWLOCATION on POSTs doesn't work
because cURL follows with a GET, I thought I'd share the PHP code that
I built yesterday to manually follow 30x's on POSTS (and it does
follows on GETs as well).
function APICall($api_url, $require_credentials = false, $http_post =
Nearly all clients are on the Streaming API successfully. There is one
notable exception: clients that perform a large HTTP POST operation
with the follow= or track= parameter. At some threshold size, requests
are not making it into the Hosebird process. We're working on fixing
this remaining
Yikes, there's a small bug.
Replace:
$remote_server = 'http://twitter.com/';
$call_url = $remote_server . $api_url;
with
$remote_server = 'http://twitter.com';
$call_url = $remote_server .'/'. $api_url;
there's no actual difference there.
On Sat, Aug 8, 2009 at 08:43, Dewald Pretorius dpr...@gmail.com wrote:
Yikes, there's a small bug.
Replace:
$remote_server = 'http://twitter.com/';
$call_url = $remote_server . $api_url;
with
$remote_server = 'http://twitter.com';
$call_url =
It makes a difference in $call_url = $remote_server.$call_url; further
down if a partial redirect URL is returned that starts with '/'.
On Aug 8, 11:55 am, JDG ghil...@gmail.com wrote:
there's no actual difference there.
On Sat, Aug 8, 2009 at 08:43, Dewald Pretorius dpr...@gmail.com wrote:
I don't know if it's related but I've created a new twitter account
last night (personal usage),
and I can't change my image (via de website).
I had first an image (500x500px, 600KB) - it tooks about 1 hour to
load ('connecting...' ) and I aborted it.
I've rescalled it to 300x300px and some
Thank you for leting us knowmore about the problem.
I will translate your messagein french and add it to my blog because
many users are wondering wat's going on.
Cheers
On 8 août, 07:42, James Salsman jsals...@gmail.com wrote:
On Aug 7, 8:20 pm, Chad Etzel c...@twitter.com wrote:
Here is
Chris ,
We implemented something like this network status using the
rate_limit_status call (for the IP), while some of the numbers are
sometimes wonky with this api right now we poll this every 5 minutes
and set a flag to enable or disable all twitter requests from the
server
Hi all, I would really appreciate some help. I have an online store
and have created a widget there. After installing my sales plummeted
out! I realized that in IE7 6 (60% of my costumers) they get a
security warning. After removing the widget my sales got back up.
I love the widget. I
Chad,
I'm hear to join the chorus of support for continuing to keep us
informed and wish you well in the battle to restore service.
My services are down with 408s, and I'd love to have them back, but as
long as I know the why's and what's, that's a huge help.
Thanks and good luck. Well
Requests fro our IP are getting time out. Even a telnet to twitter
port 80 gets time out, although http request to other sites work
perfectly.
Anyone else with that problem?
Now I tested again, works well via docomo.
On 8月8日, 午前1:53, kabayan tkab...@gmail.com wrote:
Failed IP 206.225.19.45
Japan
Docomo
On 8月8日, 午前1:15, Jonathan Joyce jonathan.jo...@gmail.com wrote:
We have seen the rates for our app go from 20,000 to 150 and back to 20,000
over a short
I don't think that the widgets support SSL. You might have to set up a
simple SSL proxy on your own server that makes the unsecured request to
Twitter.
Abraham
2009/8/8 MFJ mariekejonk...@hotmail.com
Hi all, I would really appreciate some help. I have an online store
and have created a
Our app has been down for almost 2 days now...every call we make to
the Twitter API returns a 408 Request Timeout.
When can we expect this to be working normal again???
We've got a similar oAuth issue. My application can get as far as the
login screen, but consistently.. and I mean 100% of the time fails on
the Allow button. It doesn't even get as far as the redirect screen
(so it's not a problem with us handling the redirect).
If they want us to use oAuth
tick tock tick tock tick tock tick tock tick tock tick tock
tick tock tick tock tick tock tick tock tick tock tick tock
I'm sure it's being worked on.
--
personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- Anything that can be put into a
I'm seeing similar behavior on Twibes.com, where 100s if not 1000s of
my users cannot log in.
I can rarely get to the login page, what is concerning, is that I curl
the URL, the page is returned immediately. Safari and Firefox spin for
30-60s before rendering the page (if ever).
On Aug 8,
An attacker can just as easily follow a 302 as can a legitimate API
developer or user of Twitter. I don't understand why Twitter thinks
this is a solution to the problem. Please stop 302ing.
Thanks,
--
Kyle Mulka
http://twilk.com
Suddenly everything started to work again... wonder what happened...
On Aug 8, 2:13 pm, pmduque pmdu...@gmail.com wrote:
Requests fro our IP are getting time out. Even a telnet to twitter
port 80 gets time out, although http request to other sites work
perfectly.
Anyone else with that
the documentation says that The REST API does account- and IP-based
rate limiting.
so twitter how to recognize which request is account-based and which
is IP based?
if I build a website like itweet.net, everyone login to use it, and
then get someone's friends list,
call
Sometimes the rate_limit_status call is not returning a 302 to
redirect, or the rate_limit_status xml, but HTML with a meta refresh
in it (which curl doesnt understand to follow redirect/retry).
Its not huge problem for us, but it can affect some throttling code
people may or may not be
Great job :) Hopefully you can crate a security environment to
preclude future attacks.
On Aug 7, 11:05 am, Ryan Sarver rsar...@twitter.com wrote:
I wanted to send everyone an update to let you know what has been happening,
the known issues, some suggestions on how to resolve them and some
I'm pulling my hair out. 1000s of Twibes users can't log in. Twibes
uses oAuth from App Engine. Calls to http://twitter.com/oauth/request_token
have been consistently timing out for 3 days now.
Is there any work around or way to get approved access?
On Aug 8, 11:51 am, AccountingSoftwareGuy
I'm trying to sort out a workaround, but for whatever reason I can't
get the string:
I'm testing right now
to actually work. The posted tweet is:
I\'m testing right now.
What gives? I'm posting values and using a server proxy via PHP to
make the REST calls to the API, yet no dice on the
If it is really important to you, how long does it take you to exclude
known white-listed IP addresses from the defenses, if you put your
mind and resources to it?
On Aug 8, 6:42 pm, Cameron Kaiser spec...@floodgap.com wrote:
tick tock tick tock tick tock tick tock tick tock tick tock
I'm
On Sat, Aug 8, 2009 at 5:39 PM, Dewald Pretoriusdpr...@gmail.com wrote:
tick tock tick tock tick tock tick tock tick tock tick tock
To quote my last email:
***
We will also be monitoring the situation and giving out new
information as we have it. Please remain patient with us. As much
Ask me Are we there yet? one more time and I'll turn this car around and
you won't go to Disneyland at all!
;-)
Nick
On Sat, Aug 8, 2009 at 2:39 PM, Dewald Pretorius dpr...@gmail.com wrote:
tick tock tick tock tick tock tick tock tick tock tick tock
Chad,
Thank you for your reply.
However, I would hope that Twitter engineers are all in force at the
office on a day like this to solve this issue and get our applications
back up and running, regardless of whether it is Saturday, Sunday, or
Christmas Day.
Having the Twitter website
Hi,
OK, I'm not sure if twitter is the right platform for my needs, and
after many hour searching around, still cant find if it will meet my
needs.
So, basically, I need users of my app, to be able to both post and see
'tweets' posted by others. Similar to a forum shoutbox.
Is this possible?
Oauth has been on and off through out this DoS attack. Sometimes it work
sometimes not.
Only work around right now is to fall back to basic auth. It might not be a
bad idea
having basic auth in place of emergency of OAuth going offline. Sure the
user will need to supply
username/pass, but at least
However, I would hope that Twitter engineers are all in force at the
office on a day like this to solve this issue and get our applications
back up and running, regardless of whether it is Saturday, Sunday, or
Christmas Day.
Make sure they work all night too.
--
When my app is down, that is exactly what I do to get it up and
running again.
On Aug 8, 7:40 pm, Cameron Kaiser spec...@floodgap.com wrote:
However, I would hope that Twitter engineers are all in force at the
office on a day like this to solve this issue and get our applications
back up
They can, but apparently they don't, otherwise Twitter wouldn't have
used it as a tactic. They're going through a very difficult time, we
need to be patient and supportive of them!
Dave
http://twitter.com/DavidHaber
On Aug 8, 8:53 am, Kyle Mulka repalvigla...@yahoo.com wrote:
An attacker can
they're still seeing the DDoS attack. it's been well documented.
On Sat, Aug 8, 2009 at 10:23, pmduque pmdu...@gmail.com wrote:
Suddenly everything started to work again... wonder what happened...
On Aug 8, 2:13 pm, pmduque pmdu...@gmail.com wrote:
Requests fro our IP are getting time out.
On 8/8/09 6:23 PM, Chad Etzel wrote:
I'm not supposed to be working today, but in the interest of developer
relations, I have been responding to occasional dev-list emails while
I was out today.
That's funny - as unpaid consumers of Twitter, we work 24/7 and do it
with zest.
Become an
If Twitter.com itself were down, you know that they would stay there
until it was back up.
But since it is just a large number of third party apps that are
down... well, hey, it's a weekend in August!
Grrr.
On Aug 8, 4:55 pm, Dossy Shiobara do...@panoptic.com wrote:
Seriously, anyone who has
I should have taken my own advice when I ranted about Basic Auth being
far more reliable than OAuth.
On Aug 8, 3:37 pm, Josh Roesslein jroessl...@gmail.com wrote:
Oauth has been on and off through out this DoS attack. Sometimes it work
sometimes not.
Only work around right now is to fall
On 8/8/09 8:03 PM, chinaski007 wrote:
If Twitter.com itself were down, you know that they would stay there
until it was back up.
But since it is just a large number of third party apps that are
down... well, hey, it's a weekend in August!
Uh, my ability to access Twitter.com has been
I support them wholeheartedly and appreciate everything they've done to
thwart the DDOS attack.
While it is true that many of the tools used in the attack do not appear to
follow the 302s right now, you can be your bottom dollar that they will very
quickly be updated to do just that, perhaps even
Twitter needs to realize that our apps are NOT still down because of
the ongoing denial-of-service attack. That's a cop-out to blame the
attack.
Our apps are still down because they cannot allow known, white-listed
IP addresses through the defenses.
And that is why I am getting frustrated,
To confirm, I am also seeing this behaviour. Some output I've received
on numerous occasions this evening:
-bash-3.2# curl --interface eth0
http://twitter.com/account/rate_limit_status.xml
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01//EN http://www.w3.org/
TR/1999/REC-html401-19991224/strict.dtd
Now getting a ton of these errors... empty body, and nothing
meaningful in headers.
What are they??
If I do a search request, and I include the following:
ors=%23wine+%23winery
I Only get results for #wine
Wouldn't this request be the same as doing a search with any of the
words: #wine or #winery? or is the search API intercepting every hash
tag, and if I have more than one hash tag, it
On Sat, Aug 8, 2009 at 5:40 PM, Dewald Pretorius dpr...@gmail.com wrote:
Twitter needs to realize that our apps are NOT still down because of
the ongoing denial-of-service attack. That's a cop-out to blame the
attack.
Our apps are still down because they cannot allow known, white-listed
IP
Nick,
Yes, they have very competent people. My criticism is not leveled
against the API team. They are not the ones responsible for the edge
defenses.
But this thing has happened every single time so far. Twitter comes
under attack, and the response is to simply swing the machine gun in a
360
We have asked Ops about what these responses mean. Waiting on a
definitive answer from them.
-Chad
On Sat, Aug 8, 2009 at 9:10 PM, chinaski007chinaski...@gmail.com wrote:
Now getting a ton of these errors... empty body, and nothing
meaningful in headers.
What are they??
Are the redirects only occuring with oauth? I've yet to run into them, but
I'm not really using oauth much so that might be why.
On Sat, Aug 8, 2009 at 7:09 PM, Howard Siegel hsie...@gmail.com wrote:
I support them wholeheartedly and appreciate everything they've done to
thwart the DDOS
Well I must be lucky then. :)
I'll probably add redirect support into my library anyway. Shouldn't be too
hard to implement.
On Sat, Aug 8, 2009 at 9:25 PM, Chad Etzel jazzyc...@gmail.com wrote:
No, they are not limited to only oauth related calls.
-Chad
On Sat, Aug 8, 2009 at 10:22 PM,
My web app now thinks it's a desktop app and gives me a numeric code.
I've tried switching the setting from one to the other, and then back
again to see if that would help.
No luck, I'm still given a code rather then being re-directed back to
our web app.
Anyone else with this issue?
I just can't believe this is for real...
On Aug 8, 2009, at 5:07 PM, Dossy Shiobara wrote:
On 8/8/09 8:03 PM, chinaski007 wrote:
If Twitter.com itself were down, you know that they would stay there
until it was back up.
But since it is just a large number of third party apps that are
In a simplified sense, the redirect nullifies a pernicious class of
attack where the source IP address is forged. A redirect cannot be
followed with a false source address. The attacks that remain are
those where the source IP address is valid. You can then imagine other
techniques that than can
Can anyone guess how long it will take for this problem to be fixed..
Apps totally dependent on the api are suffering very badly... lot of
revenue loss also...
On Aug 8, 6:37 pm, Neeraj Mathur nee...@gmail.com wrote:
I just can't believe this is for real...
On Aug 8, 2009, at 5:07 PM, Dossy
I agree. I also think it is very important to recognize Twitter made a
strong move with such an open API. As a result, it is just as
important to recognize, Twitter very well may not be where it is today
were it not for third party apps.
I may go as far as to say the API should be a higher
Can someone point me to the details on the attack? I am a little out
of the loop. I've heard Twitter only uses around 200Mbit/s of data.
From a net ops perspective, why is this challenging to detect and
block?
I'm not trying to degrade the efforts of the engineers, this is a
genuine
If spoofing of white-listed IP addresses is a concern to Twitter (and
it probably is), I have a proxy infrastructure in place with already
white-listed IP addresses that can make API calls from IP addresses
that are not the same as my website IP address.
It will take one hell of a lucky guess by
Perhaps someone should set up a wiki page for this with basic info we can
all collaborate on so we can know how to adapt to the new changes in our own
language. I'm sure that's something we can all work together on. Does
Twitter want to take the initiative to at least just start this so we can
I am now getting OK: 200 errors after requesting, e.g., friends
ids. The response returned is the 200 error, and a prematurely ending
json of id numbers. wtf?
On Aug 8, 7:17 pm, Chad Etzel c...@twitter.com wrote:
We have asked Ops about what these responses mean. Waiting on a
definitive
(Okay, in those I am seeing a header with read timeout... the empty
ones are still coming fast and furious.)
On Aug 8, 8:59 pm, chinaski007 chinaski...@gmail.com wrote:
I am now getting OK: 200 errors after requesting, e.g., friends
ids. The response returned is the 200 error, and a
I know Twitter has bigger priorities, so if you can put this on your to
think about list for after the DDoS problems are taken care of, I'd
appreciate it. Perhaps this question is for John since it has to do with
real-time. Anyway, is there any plan to support the PubSubHubbub protocol
with
A secret key will help at application level. But the first defense in
DOS is at network gear level where you cannot check secret keys
against db tables.
On Aug 9, 12:01 am, Scott Haneda talkli...@newgeo.com wrote:
Can someone point me to the details on the attack? I am a little out
of the
I've also had this problem since Friday, but I also added a Twibbon
late Thursday or early Friday.
I can't change any settings, upload a new photo, nor can I post a
twitter directly on twitter.com (I can post through my Twhirl
app...odd)
On Aug 8, 2:33 am, Jonathan Joyce (Storm ID)
third-party app we created*
On Sat, Aug 8, 2009 at 9:40 PM, Adam Cloud cloudy...@gmail.com wrote:
Some of us program because we love to do it, not because of the revenue we
could make off the third-party app we use.
Man up and just tell your users to be patient, it's not like they're going
A forged source IP address is a good reason for doing 302s. Thanks for
the explanation. Now... if only OAuth worked...
--
Kyle Mulka
http://twilk.com
On Aug 8, 10:45 pm, John Kalucki jkalu...@gmail.com wrote:
In a simplified sense, the redirect nullifies a pernicious class of
attack where the
Some of us program because we love to do it, not because of the revenue we
could make off the third-party app we use.
Man up and just tell your users to be patient, it's not like they're going
to stop using your app because of some well publicized downtime, and if they
are, then it wasn't that
My app works well locally(use OAuth), but does not work in AppEngine,
seem they are still restrict large request from same IP.
Yes, Twitter missed a chance to propagate OAuth, but they didn't ruin
it :)
On Aug 9, 8:07 am, chinaski007 chinaski...@gmail.com wrote:
I should have taken my own
As other media have noted, when Twitter goes down, people swap to
FriendFeed, Facebook, etc.
The same thing happens when Twitter apps go down. The problem with
this outage is that it largely effects third-party Web-based apps.
And so when our apps go down, for whatever reason, people swap to
81 matches
Mail list logo
