On 8/26/06, Neil Harris neil@tonal.clara.co.uk wrote:
OK, here's one scenario. This feature could be used for denial-of-service attacks against other sites, by using Wikipedia's high-bandwidth server farm as a dowload bandwidth amplifier: an attacker could simply set many downloads going at once to one server, at the cost of trivial bandwidth overhead to set up each connection.
You could pretty much rule that out by limiting downloads to one at a time per login. And you could do that simply by checking the time since the last download started, and making sure it was at least 10 minutes ago or something. Or to be nicer, check when the *second last* download started, in case they made a mistake and want to try again.
Steve