Comments inline. On Aug 7, 12:05 pm, Ryan Sarver <rsar...@twitter.com> wrote: > *Known Issues* > * - HTTP 300 response codes* - One of the measures in thwarting the > onslaught requires that all traffic respect HTTP 30x response codes. This > will help us identify the good traffic from the bad.
Does this affect POST as well as GET? The issue here is the way clients handle 30x after POST. Most clients (now by convention) do not respect the RFC (http://www.w3.org/Protocols/rfc2616/rfc2616- sec10.html#sec10.3) and will send a GET after POST always. Some clients will respect the method, but not re-post any data. We need to be sure we are all expecting the right things. How does this affect OAuth signed requests? OAuth requires knowing the HTTP Method as well as the full URI and parameters to generate signatures a priori. Most (all?) clients and libraries do not know how to handle changes in these during a redirect. > * - General throttling* - Try to throttle your services back as much as > possible for you to continue operating. We are working on our end to better > understand the logic used in throttling traffic on the edge of the network > and will communicate what we can, but the best idea is to just throttle back > as much as you can in the mean time. Is there anything else we can do on the protocol level? Keepalives on/ off? Specific headers? Thanks for all your hard work. Having spent yesterday battling a rash of spambots is nothing compared to what you guys are doing. --Justin