On October 21, 2016, many Shopify merchant sites went down when there was a massive DDOS attack on the internet.
Needless to say, it was bad.
Not only Shopify but a number of other large websites went down, including Twitter and Spotify.
On Shopify Facebook Groups, messages like these were common:
This isn’t Shopify’s fault, obviously. Their upstream service provider that provides their DNS service went down (due to an illegal attack) and took a lot of sites along with it.
What’s a DNS (Domain Name System)?
When you’re surfing the internet, you type in a recognizable address, like www.mysite.com. Your browser needs to know what site www.mysite.com goes to. Specifically, internet computers have an address that looks something like this: 126.96.36.199.
So essentially, your computer needs to resolve the address www.mysite.com to 188.8.131.52.
It does this by looking up what www.mysite.com references through a DNS Server.
In Shopify’s case, they use a service called Dyn. So whenever your computer access your *.myshopify.com website, your internet service provider or your computer is looking up the myshopify.com address with one of Dyn’s servers.
So How Did It Go Down?
On Friday, someone attacked Dyn by flooding its DNS servers (the servers where normal users like you and me look up the www.mysite.com or myshopify.com domain). This is called a distributed denial of service attack, or DDOS.
The concept is quite simple: The attacker gets a lot of computers (infected with viruses) from all over the world to simultaneously request a DNS lookup, effectively blocking out legitimate lookup requests.
Think of it this way — imagine everyone is trying to get through a door at the same time. Some people may get in, but the large majority won’t. This is what happened to Shopify’s DNS provider yesterday and why you couldn’t access your shop.
Why Our Apps Went Down
You and your customers weren’t the only ones who relied on being to reliably reach Shopify’s servers. Our apps do as well.
Because our apps are tightly integrated with the Shopify system, every time our app needed to contact their servers, it was denied. Our servers simply couldn’t find Shopify out in the vastness of the internet.
Why Shopify Reported The Problem As “Fixed”
DNS look up is a funny business. Commonly, your computer doesn’t actually do the look up every single time it needs to access your *.myshopify.com domain. Instead, your computer, internet service provider (ISP), or your local DNS server may cache the result.
When Dyn (the DNS service provider) was fixing its issues, many of the old records are not updated. It eventually gets updated as the old cache expires, but until then, things will still be broken.
Depending on whether your DNS lookup’s cache is expired, you may or may not be able to access Shopify (or our apps).
Running infrastructure to support businesses is, for the most part, quite reliable. Shopify handles hundreds of thousands of stores and millions (if not billions) of requests per day.
Occasionally, unfortunately, illegal and malicious attacks occur on the internet and it affects us all and our businesses. This latest attack was incredibly sophisticated and larger than ones seen previously by Dyn, Shopify’s upstream provider.