A denial-of-service attack on Wikipedia-Watch
December 14, 2005
The Perpetrator
Matthew Howard
Delaware, Ohio
Born: 1979-02-25
Quotation from the web:
"I also work as a state Rep for a National Union."
On December 11 and 12, Mr. Howard registered the domain brandt-watch.org and put up a wiki. In the left frame there is a link to www.geocities.com/visualrage/ with the anchor text of "Brandt image gallery."
CAUTION ! Do not go to this Geocities site directly, or click on that link, unless you first disable JavaScript in your browser. It is a denial-of-service program that launches immediately. If you don't disable JavaScript first, wikipedia-watch.org will detect you within seconds and you will be blocked from access to wikipedia-watch.org. Once the program is taken down, we may remove the blocks. Or perhaps we will just leave them up for a year or so and see if we can trace the IP addresses. We haven't decided yet.
With JavaScript off, you can still examine the source code at www.geocities.com/visualrage/ for handy legal proof that this is a denial-of-service attack directed against wikipedia-watch.org.
The provider for brandt-watch.org, as well as Geocities (owned by Yahoo), have both been asked to terminate the respective accounts. This is not quite in the same league as Section 230 of the Communications Decency Act that gives tort immunity to the service provider. Denial-of-service attacks are covered by criminal statutes, and we expect them to respond.
UPDATE 2005-12-15: Mr. Howard has taken both sites down. We have deleted some personal information about him on this page, and have excluded all bots from indexing this page. His "Brandt image gallery" page was a JavaScript program that in its default setting grabbed about eight images per second from Wikipedia-Watch. It also stuffed our log with long "query-string" lines after the image filenames. The script looped indefinitely until you exited the browser. Whoever ran this script could adjust the rate of access to a level that their connection can handle, and minimize the browser window, and let it run around the clock. While our server was able to deal with those who tried it out, it had the potential of becoming a problem as more Wikipedians became aware of this script and started using it. The links to Wikipedia-Watch were hard-coded into the script. The JavaScript code was copied from elsewhere, but since Mr. Howard is a programmer, there is no question whatsoever of his intentions. The fact that he hosted this denial-of-service script on a different domain meant that the referrer in our log pointed to geocities.com and briefly misdirected our attempts to trace him.
Here are 27,340 lines from our log that show the script in action. They are compressed into a 336K zip file, which unzips to 9 megs. The lines are terminated Unix-style, with just a hex 0A line-feed character. We also have the source code, but won't make it available except to those who need it as evidence, and who provide their real name, address, and telephone number. You can request it by email if you use an email account that shows your originating IP address (such as Hotmail, Yahoo mail, Earthlink — but not Gmail).
The reason for caution is because the script will run in a browser as soon as you load it from your local disk. The Wikipedia-Watch image URLs are hard-coded in the script, and you would get detected and blocked from our site within a few seconds. The first use of this script is by Mr. Howard at 24.95.59.142. This is not the sort of script we want distributed.