We have a pattern abuser showing up on English Wikipedia, creating page after page full of 1-pixel versions of random images from throughout the site. This appears to be a slow ramp-up to a larger denial of service attack on the image servers for en.wp.
The pattern is easy to spot, once they do it, but "easy" in this case is normal reaction time of admins / alert users, most of whom haven't seen the pattern up close to know what's going on.
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
They're telegraphing their actions out pretty obviously, practicing for what I strongly suspect is coming. But I don't know that we can, with in-wiki tools, find them / block them out effectively enough...
George Herbert wrote:
We have a pattern abuser showing up on English Wikipedia, creating page after page full of 1-pixel versions of random images from throughout the site. This appears to be a slow ramp-up to a larger denial of service attack on the image servers for en.wp.
The pattern is easy to spot, once they do it, but "easy" in this case is normal reaction time of admins / alert users, most of whom haven't seen the pattern up close to know what's going on.
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
They're telegraphing their actions out pretty obviously, practicing for what I strongly suspect is coming. But I don't know that we can, with in-wiki tools, find them / block them out effectively enough...
It could be added to $wgSpamRegex to prevent saving pages with more than 5 or ten 1px image, but then it'd go with 2 or 3 px. I recommend to add it instead to the antivandalism bots, so it'll take more time to realise how he's being caught so fast.
I wouldn't care so much about DoS. The resizing is not different than if he didn't use 1px images and they're small to download. The problem of being so much and querying many images isn't really bad either. Browsers doesn't fetch too many images at once (2-4) and we have all kind of caching layers.
But hey!, Maybe i'm too optimistic and should start worrying of every little hax0r ;-)
On Jan 31, 2008 6:39 PM, George Herbert george.herbert@gmail.com wrote: [snip]
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
[snip]
DOS attempts against the site are frequent but because the normal traffic load is so high they are almost always insignificant. When they are detected at all it is usually by complete accident, and not because they had any real effect.
Not that the someone couldn't do it... just that the fact that someone is trying is uninteresting. The really serious DOS attacks tend to show up in places where there is a profit motive, ... which there wouldn't be against Wikimedia. Generally we're better off denying the attention of making noise about their feeble attempts. ;)
On the other hand, killing more obviously rubbish edits serves purposes beyond DOS avoidance.
On 01/02/2008, Gregory Maxwell gmaxwell@gmail.com wrote:
On Jan 31, 2008 6:39 PM, George Herbert george.herbert@gmail.com wrote:
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
DOS attempts against the site are frequent but because the normal traffic load is so high they are almost always insignificant. When they are detected at all it is usually by complete accident, and not because they had any real effect. Not that the someone couldn't do it... just that the fact that someone is trying is uninteresting. The really serious DOS attacks tend to show up in places where there is a profit motive, ... which there wouldn't be against Wikimedia. Generally we're better off denying the attention of making noise about their feeble attempts. ;)
It would be a useful thing to have handy, because there are a lot of Mediawiki users who haven't got a network like the Foundation's to protect them.
- d.
George Herbert wrote:
We have a pattern abuser showing up on English Wikipedia, creating page after page full of 1-pixel versions of random images from throughout the site. This appears to be a slow ramp-up to a larger denial of service attack on the image servers for en.wp.
The pattern is easy to spot, once they do it, but "easy" in this case is normal reaction time of admins / alert users, most of whom haven't seen the pattern up close to know what's going on.
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
They're telegraphing their actions out pretty obviously, practicing for what I strongly suspect is coming. But I don't know that we can, with in-wiki tools, find them / block them out effectively enough...
Can you post some snippets? I'd like to see how easy the patterns would be to detect using regexes; if so I can just add these to my anti-vandal bot on frwiki... Thanks, Kimon/Gribeco
Look through: http://en.wikipedia.org/wiki/Special:DeletedContributions/Ffddd
-george
On Jan 31, 2008 6:12 PM, Kimon Berlin (gribeco) gribeco@deepskymarines.org wrote:
George Herbert wrote:
We have a pattern abuser showing up on English Wikipedia, creating page after page full of 1-pixel versions of random images from throughout the site. This appears to be a slow ramp-up to a larger denial of service attack on the image servers for en.wp.
The pattern is easy to spot, once they do it, but "easy" in this case is normal reaction time of admins / alert users, most of whom haven't seen the pattern up close to know what's going on.
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
They're telegraphing their actions out pretty obviously, practicing for what I strongly suspect is coming. But I don't know that we can, with in-wiki tools, find them / block them out effectively enough...
Can you post some snippets? I'd like to see how easy the patterns would be to detect using regexes; if so I can just add these to my anti-vandal bot on frwiki... Thanks, Kimon/Gribeco
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
George Herbert wrote:
We have a pattern abuser showing up on English Wikipedia, creating page after page full of 1-pixel versions of random images from throughout the site. This appears to be a slow ramp-up to a larger denial of service attack on the image servers for en.wp.
The pattern is easy to spot, once they do it, but "easy" in this case is normal reaction time of admins / alert users, most of whom haven't seen the pattern up close to know what's going on.
Is there anything that can or should be done ahead of time, at the site operations level or developer level, to try and keep the presumed end-case massive DOS attack on the systems from succeeding?
They're telegraphing their actions out pretty obviously, practicing for what I strongly suspect is coming. But I don't know that we can, with in-wiki tools, find them / block them out effectively enough...
Thanks for the report, we'll keep an eye on it. I don't think there's any urgent need for action, and I don't think there's a need to advertise his actions and thus give him more satisfaction than he deserves.
-- Tim Starling
wikitech-l@lists.wikimedia.org