On 8/26/06, Neil Harris neil@tonal.clara.co.uk wrote:
OK, here's one scenario. This feature could be used for denial-of-service attacks against other sites, by using Wikipedia's high-bandwidth server farm as a dowload bandwidth amplifier: an attacker could simply set many downloads going at once to one server, at the cost of trivial bandwidth overhead to set up each connection.
Nothing that can't be done already with, say, ImageShack. We could throttle per IP as well as per user (to a higher rate than one per ten minutes, though), and if someone's going to use lots of anonymous proxies or a botnet, they could just use them to download directly. We could also provide X-Forwarded-For to indicate directly who's causing the trouble, unless we're going to suppress that for privacy reasons (which would be slightly ironic given our situation with ISPs like AOL).
If someone uses Wikipedia for abuse, obviously that person could be dealt with. The abuse isn't disastrous, many existing sites would enable it equally well, and so it shouldn't be held against a potentially quite useful feature in the slightest.