As you already know, steemit.com has been under a DDoS attack yesterday. Now the dusts gently settles over the events, but it has been a convoluted day. I ended up using busy.org to post, or even my own "shell", or code written for another project.
What brought my attention, though, this morning, was a sentence from @steemitblog DDoS announcement. Here it is:
The site has been getting requests on the order of a hundred thousand per second from someone using a botnet spanning throughout dozens of countries.
Hmmmm... Let's try some math here.
Steemit Traffic Capacitiy
Right now, steemit.com has a daily volume of about 35,000 people. At this volume, I expect the traffic to be around hundreds per second, or probably thousands, during peak time. Assets are probably loaded from other sites, so what the Node.js app serves (I know from GitHub that steemit.com is a React + Node.js package) is just the content shell.
I don't know the setup, but for the good of the Steemit devs, I hope they're using some sort of load balancer. They have Node packages for that, or they may be using nginx (the latter approach is even better, as it allows to serve static files - and one of these static files could have been a "we're down and we're working on it" kind of announcement).
Under these circumstances, my humble opinion (I only do web development for about 20 years) is that a traffic of hundreds of thousands of requests shouldn't be a problem. I know, there are requests and requests and the attacker most likely played with the keep_alive and other parameters of the request, intentionally piling up processes. But even in this case, the problem can be mitigated very quickly by adding more machines on the fly (I remember an announcement telling they're using Amazon hosting specifically for scaling).
Smart Media Tokens Impact
Now imagine that SMT really takes off. I don't imagine thousands of tokens and communities. But even with just a few dozens of active communities, the traffic will increase logarithmically. It will most likely go close to "hundreds of thousands of requests, spanning from dozens of countries". That's usually a success metric, you know: how many people are using your product. It is a good thing to have. And it's a must have skill to be able to handle that amount of traffic.
I know for sure that these growth pains are unavoidable. I remember very clearly the Twitter whale in the early days and how frustrating that was. But in the end, they make it work. The technology is mind boggling, but they made it.
I think for Steemit the challenge is even bigger, because there are also the content nodes, those powered by the blockchain and managed by witnesses. During the attack, some of the nodes were down too (that's why steem.supply stoped working). They might have shut them down on purpose, as part of their attack mitigation procedure, or - that's my hunch - they were simply flooded.
One More SMT Caveat
So, trying to end this on a positive note: if you plan to launch your own SMT, please take into account the fact that you should have your own infrastructure and you will need serious system administration skills on your team.
I'm a serial entrepreneur, blogger and ultrarunner. You can find me mainly on my blog at Dragos Roua where I write about productivity, business, relationships and running. Here on Steemit you may stay updated by following me @dragosroua.
https://steemit.com/~witnesses
If you're new to Steemit, you may find these articles relevant (that's also part of my witness activity to support new members of the platform):