Steve Bennett wrote:
On 8/26/06, Neil Harris <neil(a)tonal.clara.co.uk>
wrote:
OK, here's one scenario. This feature could
be used for
denial-of-service attacks against other sites, by using Wikipedia's
high-bandwidth server farm as a dowload bandwidth amplifier: an attacker
could simply set many downloads going at once to one server, at the cost
of trivial bandwidth overhead to set up each connection.
You could pretty much rule that out by limiting downloads to one at a
time per login. And you could do that simply by checking the time
since the last download started, and making sure it was at least 10
minutes ago or something. Or to be nicer, check when the *second last*
download started, in case they made a mistake and want to try again.
Steve
_______________________________________________
That check would be easily worked around by, for example, creating many
different accounts, and launching an attack from each one. Yes, you can
build countermeasures to try and stop that, but there are
counter-counter-measures to those, and so on...
-- Neil