Comments inline.

On Aug 7, 12:05 pm, Ryan Sarver <> wrote:
> *Known Issues*
> * - HTTP 300 response codes* - One of the measures in thwarting the
> onslaught requires that all traffic respect HTTP 30x response codes. This
> will help us identify the good traffic from the bad.

Does this affect POST as well as GET?  The issue here is the way
clients handle 30x after POST.  Most clients (now by convention) do
not respect the RFC (
sec10.html#sec10.3) and will send a GET after POST always.  Some
clients will respect the method, but not re-post any data.  We need to
be sure we are all expecting the right things.

How does this affect OAuth signed requests?  OAuth requires knowing
the HTTP Method as well as the full URI and parameters to generate
signatures a priori.   Most (all?) clients and libraries do not know
how to handle changes in these during a redirect.

> * - General throttling* - Try to throttle your services back as much as
> possible for you to continue operating. We are working on our end to better
> understand the logic used in throttling traffic on the edge of the network
> and will communicate what we can, but the best idea is to just throttle back
> as much as you can in the mean time.

Is there anything else we can do on the protocol level?  Keepalives on/
off? Specific headers?

Thanks for all your hard work. Having spent yesterday battling a rash
of spambots is nothing compared to what you guys are doing.


Reply via email to