On 8/26/06, Neil Harris <neil(a)tonal.clara.co.uk> wrote:
OK, here's one scenario. This feature could be
used for
denial-of-service attacks against other sites, by using Wikipedia's
high-bandwidth server farm as a dowload bandwidth amplifier: an attacker
could simply set many downloads going at once to one server, at the cost
of trivial bandwidth overhead to set up each connection.
You could pretty much rule that out by limiting downloads to one at a
time per login. And you could do that simply by checking the time
since the last download started, and making sure it was at least 10
minutes ago or something. Or to be nicer, check when the *second last*
download started, in case they made a mistake and want to try again.
Steve