Steve Bennett wrote:
On 8/26/06, Neil Harris neil@tonal.clara.co.uk wrote:
OK, here's one scenario. This feature could be used for denial-of-service attacks against other sites, by using Wikipedia's high-bandwidth server farm as a dowload bandwidth amplifier: an attacker could simply set many downloads going at once to one server, at the cost of trivial bandwidth overhead to set up each connection.
You could pretty much rule that out by limiting downloads to one at a time per login. And you could do that simply by checking the time since the last download started, and making sure it was at least 10 minutes ago or something. Or to be nicer, check when the *second last* download started, in case they made a mistake and want to try again.
Steve _______________________________________________
That check would be easily worked around by, for example, creating many different accounts, and launching an attack from each one. Yes, you can build countermeasures to try and stop that, but there are counter-counter-measures to those, and so on...
-- Neil