The other reply seems more informed, but I’ll share another technical practice that would lead to increased load and thus risk of DDoS in general (I hadn’t heard of this change and issue of Twitter before reading about it here):
Delivering webpages without a logged-in user means you can cache (remember) commonly returned data and pages. You can repeatedly deliver the same thing.
For logged-in users, this is not the general case. A logged-in user has follows, blocks, and adjusted content selection. So rather than deliver a “standard view” a “user view” has to be generated.
The other reply seems more informed, but I’ll share another technical practice that would lead to increased load and thus risk of DDoS in general (I hadn’t heard of this change and issue of Twitter before reading about it here):
Delivering webpages without a logged-in user means you can cache (remember) commonly returned data and pages. You can repeatedly deliver the same thing.
For logged-in users, this is not the general case. A logged-in user has follows, blocks, and adjusted content selection. So rather than deliver a “standard view” a “user view” has to be generated.