On 8/26/06, Neil Harris <neil(a)tonal.clara.co.uk> wrote:
OK, here's one scenario. This feature could be
used for
denial-of-service attacks against other sites, by using Wikipedia's
high-bandwidth server farm as a dowload bandwidth amplifier: an attacker
could simply set many downloads going at once to one server, at the cost
of trivial bandwidth overhead to set up each connection.
Nothing that can't be done already with, say, ImageShack. We could
throttle per IP as well as per user (to a higher rate than one per ten
minutes, though), and if someone's going to use lots of anonymous
proxies or a botnet, they could just use them to download directly.
We could also provide X-Forwarded-For to indicate directly who's
causing the trouble, unless we're going to suppress that for privacy
reasons (which would be slightly ironic given our situation with ISPs
like AOL).
If someone uses Wikipedia for abuse, obviously that person could be
dealt with. The abuse isn't disastrous, many existing sites would
enable it equally well, and so it shouldn't be held against a
potentially quite useful feature in the slightest.