Finding the culprit

So I had a look at the server logs and stats today and notice a huge increase in both incoming and outgoing traffic. What hit my eye immediately was the sheer amount of nearly 240GB used yesterday. As I browse through the stats to find the request using the most bandwidth I find links to numerous japanese forums – and guess what I find in those threads, yes, pr0n. Not that I’ve got a problem with that, what I’ve got a problem with though is the fact that they are exploiting a loophole in one of my proxies.

Usually it’s quite easy to figure out that you’re getting hotlinked and the solution is easy, three lines of mod_rewrite goodness and you’re done. Now I was facing another variant of the same problem. Let me explain:

The proxy shows a url in the form of http://www.proxytastic.com/index.php?q=randomString once you surf via the webinterface. Now this url can be any type of thing (html, php, gif, jpg, flash, …) so they were just using that fact to their advantage: … img src = “http://www.proxytastic.com/index.php?q=randomString ….

Now that I noticed that I just block all direct access to such urls via a HTTP-Referer rule…so no more bandwidth theft, use my site, enjoy and watch some ads, damn it ;-)
On another note: good thing that I’ve got a contract with unlimited bandwidth, if not this would have been an expensive loophole…

Edit: It seems that the rewrite solution isn’t working out to good…need to figure out something better, maybe ip blocking…

4 thoughts on “Finding the culprit

  1. In related matters, some cussface was hotlinking images from FFWeb so we had all requests not from ff-web.net replaced with offensive messages. No help to you and your proxy but… Fun nonetheless. :D

  2. Hehe…that’s something I like to do, too :D . Too bad that I couldn’t do it here as the format for a normal file (i.e. html) isn’t different from an image file with this script…

  3. I am having same issue with all my proxies now also. They are hotlinking me. I tried blocking IP’s and they keep getting in. So have you had any luck yet?

  4. Well, I use a combination of referral-based blocking (http header analyzing) along with IP banning nowadays…works pretty well, although they keep registering new domains all the time, so it’s basically a race (they hotlinking vs me banning them)…but at least I’m almost up to them now and so not too much bandwidth is lost… ;-)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.