[Reprint] Eight kinds of common anti-theft chain method Summary and analysis

As an ordinary netizen, generally do not need to know or care about what is hotlinking, but if you are the developer or maintainer of the site, you will have to pay attention to the hotlinking problem. If you've just developed a Web site with file-download capabilities that doesn't have an anti-theft chain, hang up the internet, upload a few popular software or movies and post it on the site, and let all your friends on MSN experience your masterpiece. It will not take long to find that the Internet is surprisingly slow, even the server hosting center waiter will be enthusiastic to call to tell you that the site traffic is very large, it is estimated that the site is popular, asked if you should consider adding money to rent more bandwidth but more expensive cable. When it's time to celebrate, turn on Google Analytics to see how many people are visiting your site, and if you find that visitors are only 10 people a day, I'm sorry to tell you that your site resources have been hotlinking by people. And what's worse, when you erase all the files and movies on the site, the site still doesn't get much faster, and from the Web server's access logs, the frantic access requests are coming in from all directions, and the Web server doesn't have time to handle the normal pages in order to greet the visitors. This situation may persist for several weeks at a time.

Site resources are hotlinking simple to say that others are not from your site by downloading resources, are hotlinking several possible situations:
1, in the popular websites, forums, community pages directly quoted (using the mark) on your site images, or directly on other pages (using Flash or media play plugin) embedded in your site mp3.
2, in the popular website, forum, the community to provide your resources.
3, your site resources may be some download software included in the "Resource candidate List", when others use the download tool to download the same file, the download software will automatically find the door and download from your server.

Since the consequences of being hotlinking so horrible, there are ways to prevent the hotlinking of the following from simple to complex summary of common and some of their own practice of some methods, and briefly analysis. Unfortunately, these methods can not completely eliminate the hotlinking, and the purpose of the anti-theft chain should be to a certain extent to reduce the impact of the hotlinking, while allowing legitimate users to be able to freely download resources from your site in a natural way .

Method 1: Determine the reference address

This method is the earliest and most common method. The so-called reference address is the value of the Referer field of the HTTP header that is used to determine the browser request, which can be obtained using the Request.urlreferrer attribute in ASP. In some cases, the browser is making a request Jacky.mp3 when the user clicks a link to the Http://uushare.com/jacky.mp3 file while browsing http://uushare.com/abc.html. The resource also comes with the page address (that is, http://uushare.com/abc.html) where the browser is inscribed, so when your website program receives a request to download the Jacky.mp3 resource, it first determines the value of the HTTP referer field, if it is from Its own domain name (uushare.com), it can be considered a legitimate connection request, otherwise it will return an incorrect prompt message.

This method is commonly used for images, mp3 This is easy to use HTML "embed" to other sites of resources, use this method can prevent your image directly in other People's web page (or prevent MP3 directly from other sites embedded in the Flash Player), but visitors using the download tool can be easily downloaded , because now the download tool will usually automatically use your domain name to construct a reference address, so if you want to further prevent, you can use a corresponding table to limit the reference address of each resource, for example, to limit the Jacky.mp3 reference address to http://uushare.com/ abc.htmlid=12345, so the download tool is less likely to construct a "correct" reference address.

Method 2: Use login authentication

This approach is common in forums and communities. When a visitor requests a resource on a Web site, it first determines whether the request is logged by login verification (logged in using ASP. Session or form validation), and returns an error message if not already logged in. This method can also be used to further determine whether the logged on user's permissions are sufficient for the download with "Permissions".
However, because the login state relies on the session ID, and the session ID is often stored in the HTTP request cookie field, the download tool generally does not have access to the browser's cookie field, so these resources are often unable to download using the Download tool, A lot of inconvenience to normal legitimate users (because most of the Internet users have installed a download tool, a click download link is generally blocked by the download tool, resulting in the browser itself can not use the download function). The simple workaround is to place the session ID in the URL.
Another drawback of this approach is that visitors cannot download anonymously, so this method is generally used only for forums and community sites.

Method 3: Use cookies

In fact, this method is similar in principle to Method 2. is a cookie that generates a dynamic value on the page that displays the download link, and then, when processing the resource download request, first determine if there is an incorrect cookie in the cookie, and if not, return an error message. As to how this dynamic value is generated, it is possible to reverse-determine whether the dynamic value is legitimate, such as taking the current time to remove the number of seconds to hash (also known as the hash value). If the Web program is an ASP. NET, it is easier to save a string or number in the session, and then check the session for the existence of the string or number when processing the download request. The disadvantage of using this method is the same as Method 2.

Method 4: Use post to download

The client browser requests resources using the Get method of HTTP, in fact, the Post method can also be used to return data to the client. So you can replace the download link with a form (form) and a button (Submit), put the name or ID of the file to be downloaded into a hidden text box (Input) of the form, and when the user clicks the Submit button, the service program first determines whether the request is a post mode, If yes, read the binary data of the target resource and write to the Response object (in ASP. Respone.binarywrite method).
The disadvantage of using this method is also that the download tool cannot be used, and the continuation of the breakpoint is not possible. However, better than the method 2,3, the download tool does not intercept your download action, so the normal user is still relatively smooth download to the file. This method is more suitable for small file downloads.

Method 5: Use a graphical verification code

Use this method to ensure that each download is "People" downloaded from your site, not the download tool. Because many of the online introduction of the use of graphics verification code method, so here is no longer repeated. The disadvantage of this method is that it is easier for normal users to feel trouble.

Method 6: Use dynamic file names

Also called dynamic key method, when the user clicks on a download link, first calculate a key on the terminal (using a certain rule generated key, it is best not to use a random string such as a GUID, and this key must have a certain aging), Then in the database or cache record this key and its corresponding resource ID or file name, finally let the page redirect a new URL address, this new URL address needs to include this key. When the browser or download tool makes a download request, the program detects if the key exists and returns the corresponding resource data if it exists.
The advantage of using this method is that the download tool can also be downloaded, and it can be resumed before the key expires, and the number of threads downloaded can be controlled by key.

The disadvantage of using this method (including all of the methods that support download tools above) is that when any user downloads successfully, your resources will be included in the "Resource candidate list" by some download tools, and the download tool will constantly connect to your server when others download the same file elsewhere. Even if your files have been deleted or the key has been invalidated, this will result in a class of DDoS attacks, the following two is the way to let download tools to download, but also to prevent hotlinking.

Method 7: Modify the contents of the resource

Generally popular resources are movies, MP3, large compressed package, and so on, these files are a lot of data can be inserted in the place, such as MP3 has a tag area, Rar/zip has a memo area, the content of the movie anywhere, as long as the download process, Dynamically inject some random bytes (a few bytes) into these places, you can change the hash value of the entire file (that is, hash value, fingerprint value), so that the hash of the file downloaded from your website is not the same as others, you can prevent the download tool to actively find the door. Using this method with Method 6, can achieve a better anti-theft chain effect. The disadvantage is that although the files are modified parts will not be "read", "Listen" out, but more or less let people know that uncomfortable. In addition, if others have downloaded files from your site to other sites, there is still a download tool to actively find the door (although it is not actually downloadable content).

Method 8: Package Download

This method is the same as Method 7, but this time not to the original file modification, but on the original file based on the addition of a "shell", so that the resource hash value is different from others. This method can be used to achieve the same effect on the basis of the original content of the resources, and a bit more ruthless, even in the packaging of the time to put some of their own ads. The disadvantage is that users have to compress every download, but at present most people know how to decompress, so this shortcoming can sometimes be ignored.

Well, there are some common methods of anti-theft chain, if you have other ways to add, can be published in the comments. Reprint please indicate the source of the article (http://www.cnblogs.com/uubox) Thank you!

[Reprint] Eight kinds of common anti-theft chain method Summary and analysis