Website resources are hotlinking: prevention methods VS website Resources Anti-theft chain: Cracking skills

Source: Internet
Author: User
Tags gz file dedicated server

Resources are hotlinking: (Concise definition)

Instead of downloading resources directly from your site, the downloader downloads your server resources via links to your download resources provided by other hotlinking websites!

Http://baike.baidu.com/view/272422.htm

One "Prevention methods:

Method 1: Determine the reference address
This method is the earliest and most common method. The so-called reference address is the value of the Referer field of the HTTP header that is used to determine the browser request, which can be obtained using the Request.urlreferrer attribute in ASP. In some cases, the browser is making a request Jacky.mp3 when the user clicks a link to the Http://uushare.com/jacky.mp3 file while browsing http://uushare.com/abc.html. The resource also comes with the page address (that is, http://uushare.com/abc.html) where the browser is inscribed, so when your website program receives a request to download the Jacky.mp3 resource, it first determines the value of the HTTP referer field, if it is from Its own domain name (uushare.com), it can be considered a legitimate connection request, otherwise it will return an incorrect prompt message.

This method is commonly used for images, mp3 This is easy to use HTML "embed" to other sites of resources, use this method can prevent your image directly in other People's web page (or prevent MP3 directly from other sites embedded in the Flash Player), but visitors using the download tool can be easily downloaded , because now the download tool will usually automatically use your domain name to construct a reference address, so if you want to further prevent, you can use a corresponding table to limit the reference address of each resource, for example, to limit the Jacky.mp3 reference address to http://uushare.com/ abc.html?id=12345, so the download tool is less likely to construct a "correct" reference address.

Method 2: Use login authentication
This approach is common in forums and communities. When a visitor requests a resource on a Web site, it first determines whether the request is logged by login verification (logged in using ASP. Session or form validation), and returns an error message if not already logged in. This method can also be used to further determine whether the logged on user's permissions are sufficient for the download with "Permissions".
However, because the login state relies on the session ID, and the session ID is often stored in the HTTP request cookie field, the download tool generally does not have access to the browser's cookie field, so these resources are often unable to download using the Download tool, A lot of inconvenience to normal legitimate users (because most of the Internet users have installed a download tool, a click download link is generally blocked by the download tool, resulting in the browser itself can not use the download function). The simple workaround is to place the session ID in the URL.
Another drawback of this approach is that visitors cannot download anonymously, so this method is generally used only for forums and community sites.

Method 3: Use cookies
In fact, this method is similar in principle to Method 2. is a cookie that generates a dynamic value on the page that displays the download link, and then, when processing the resource download request, first determine if there is an incorrect cookie in the cookie, and if not, return an error message. As to how this dynamic value is generated, it is possible to reverse-determine whether the dynamic value is legitimate, such as taking the current time to remove the number of seconds to hash (also known as the hash value). If the Web program is an ASP. NET, it is easier to save a string or number in the session, and then check the session for the existence of the string or number when processing the download request. The disadvantage of using this method is the same as Method 2.

Method 4: Use post to download
The client browser requests resources using the Get method of HTTP, in fact, the Post method can also be used to return data to the client. So you can replace the download link with a form (form) and a button (Submit), put the name or ID of the file to be downloaded into a hidden text box (Input) of the form, and when the user clicks the Submit button, the service program first determines whether the request is a post mode, If yes, read the binary data of the target resource and write to the Response object (in ASP. Respone.binarywrite method).
The disadvantage of using this method is also that the download tool cannot be used, and the continuation of the breakpoint is not possible. However, better than the method 2,3, the download tool does not intercept your download action, so the normal user is still relatively smooth download to the file. This method is more suitable for small file downloads.

Method 5: Use a graphical verification code
Use this method to ensure that each download is "People" downloaded from your site, not the download tool. Because many of the online introduction of the use of graphics verification code method, so here is no longer repeated. The disadvantage of this method is that it is easier for normal users to feel trouble.

Method 6: Use dynamic file names
Also called dynamic key method, when the user clicks on a download link, first calculate a key on the terminal (using a certain rule generated key, it is best not to use a random string such as a GUID, and this key must have a certain aging), Then in the database or cache record this key and its corresponding resource ID or file name, finally let the page redirect a new URL address, this new URL address needs to include this key. When the browser or download tool makes a download request, the program detects if the key exists and returns the corresponding resource data if it exists.
The advantage of using this method is that the download tool can also be downloaded, and it can be resumed before the key expires, and the number of threads downloaded can be controlled by key.

The disadvantage of using this method (including all of the methods that support download tools above) is that when any user downloads successfully, your resources will be included in the "Resource candidate list" by some download tools, and the download tool will constantly connect to your server when others download the same file elsewhere. Even if your files have been deleted or the key has been invalidated, this will result in a class of DDoS attacks, the following two is the way to let download tools to download, but also to prevent hotlinking.

Method 7: Modify the contents of the resource
Generally popular resources are movies, MP3, large compressed package, and so on, these files are a lot of data can be inserted in the place, such as MP3 has a tag area, Rar/zip has a memo area, the content of the movie anywhere, as long as the download process, Dynamically inject some random bytes (a few bytes) into these places, you can change the hash value of the entire file (that is, hash value, fingerprint value), so that the hash of the file downloaded from your website is not the same as others, you can prevent the download tool to actively find the door. Using this method with Method 6, can achieve a better anti-theft chain effect. The disadvantage is that although the files are modified parts will not be "read", "Listen" out, but more or less let people know that uncomfortable. In addition, if others have downloaded files from your site to other sites, there is still a download tool to actively find the door (although it is not actually downloadable content).

Method 8: Package Download
This method is the same as Method 7, but this time not to the original file modification, but on the original file based on the addition of a "shell", so that the resource hash value is different from others. This method can be used to achieve the same effect on the basis of the original content of the resources, and a bit more ruthless, even in the packaging of the time to put some of their own ads. The disadvantage is that users have to compress every download, but at present most people know how to decompress, so this shortcoming can sometimes be ignored.

http://blog.csdn.net/zhanglei5415/article/details/3611365

Second "Hack Skills: (original)

Method 1:browser > Source codes > Edit as HTML

Method 2: Write JavaScript crawlers, piece together, collect links to related resources

Express anti-theft chain module:

Installation
npm install express-anti-leech
Use
VarExpress= Require(' Express '),Path= Require(' Path '),App=Express(); Var Antileech = Require(' Express-anti-leech ');Whitelist of allowed domains to be referencedVarHosts= [' localhost ', ' localhost:8004 '];Anti-hotlinking typeVarExts= ['. png ', '. jpg ', '. jpeg ', '. gif ', '. SwF ', '. flv '];Hotlinking pointing to a picture by defaultVarPictrue= "/images/default.png";App.Use(Antileech({Allow:Hosts,Exts:Exts,Log:Console.Log, You can also use your own methods to record Default:Pictrue}));Please use the anti-hotlinking module before calling a static resourceApp.Use(Express.Static(Path.Join(__dirname, ' Public ')));App.Set(' Port ',Process.Env.PORT|| 8004);App.Get(‘/‘, function(Req,Res) {Res.redirect( "/index.html" ); app. (app. ' Port '  function  ()  { Console. ( "Express test server listening on http://localhost:"  + App. ' Port '                

Test:

localhost:8004In the whitelist, not the 127.0.0.1:8004 whitelist, so the localhost:8004 next access is normal, and 127.0.0.1:8004 the next is redirected to the specified picture.

Nginx anti-hotlinking settings:

To prevent hotlinking not only protect copyright, but also save a lot of traffic. Recently exchanged with Bsdmap, I heard that they saved nearly 1/3 of the picture traffic through the anti-theft chain. Nginx Anti-theft chain settings are relatively simple, can be divided into ordinary anti-theft chain and Ip/cookie based anti-theft chain. Which IP based anti-theft chain need to install Nginx module, so relatively troublesome.
Nginx's simplest anti-theft chain settings are as follows

Location ~*. (gif|jpg|png|swf|flv) $ {
Valid_referers none blocked www.jefflei.com;
if ($invalid _referer) {
return 403;
}
}
The 403 error is returned via Nginx redirection mode.
Nginxhttpaccesskeymodule implement anti-theft chain

The Nginx Nginxhttpaccesskeymodule module needs to be installed first. It works as follows: There is a file.gz file in my Nginx directory. The corresponding URI is http://www.jefflei.com/nginx/file.gz
If you use Ngx_http_accesskey_module, then generate a key value based on the user's IP, such as the following link to access http://www.jefflei.com/download/file.zip?key=23497sdf897. Only the given key value is correct, can download the Nginx directory file.gz, so you can avoid being hotlinking.

on website anti-theft chain technology:

First, beginner--The name of the folder where the music files are changed frequently and where they reside.

This method is the simplest, the most primitive, as long as the discovery of server traffic is not normal, the background opens click Update Resource Address, the program will automatically modify the resource name. As a result, the address of the hotlinking is immediately invalidated.
Disadvantage: Because of the resources enough, update up the server resources, time is long enough to later, every update almost to use an overnight. And because the process is not well-handled at the time, each update will basically appear some error links. and an updated address is still basically hotlinking.

Second, the normal level-the real address of hidden music files, this method everyone has thought about it,:). The way to do this is to create a problem by scripting or adding a password to find the real address. Take mp3 play to say, I use the method is such as play.asp is the player page, when the server operation to get the real address, write this address to session[address] saved, Play.asp does not appear at all this is the resource address, play.asp the download is completed immediately after the url.asp script file is loaded, in url.asp to detect if there is a session[address] is written as a script, and immediately clear the value. No output will be made without any. This processing in the play page effect is better, but in the download page is not so good to hide, and as long as the user installed the Thunder software, the mouse to move to the real address of the player on the Force horse is displayed. And I think as long as the client can provide a normal server, it is basically impossible to hide. Unless the service is not provided. Otherwise, grab a bag of software and get out.

Three, medium level--with ASP. HttpHandlers, the method and the ISAPI plugin that intercepts IIS are basically a principle. As a resource download station, there is no need to hide the real address, even if completely exposed, the other webmaster put the address on his station click will be invalid. The principle is: whether the routing of the link request is hotlinking. If the route does not meet the requirements, it means that the request is hotlinking, and terminates immediately. This way, compared with the previous two methods, the anti-theft technology has crossed a qualitative leap process. It works very well. There are so many anti-theft software in this way, such as the most famous freeware re_writer. But in the ointment is: if a music station like 54star.net, to provide online audition function, and after the detection of the player request is empty, that is, to provide online audition server, must be the origin of the null is also considered legal. In this way, the hotlinking link is also legal by downloading the tool or right-clicking the "Save as" link to the player that is already in the other station. Did not fully achieve the effect of anti-theft.

Four, heavyweight--through the key verification, the use of the principle and method of the three very familiar, the same is to intercept IIS, but the difference is that the interception is not the antecedents, but the address of a string of parameters---after the encryption key. The principle of other keys and the current online payment system, the online payment system to set a password in the background, you should also set up a password on your website, the form submitted to the process of judging whether it is legitimate all rely on it. Using this method the encryption of the anti-theft chain prevents the usual such key = Cryptographic function (client IP + password). The last generated address is: HTTP://DOWN.54STAR.NET:89/CD/JS-BKSYJX/02.MP3?5335AAF7DEC19388B7BB799DD70482E, the real address at the front of the question mark, and the string behind it is the secret key. , judging whether it is lawful is by judging whether it is correct. Want to steal this site resources of the difficulty is shaped like to crack an unknown length, and can change the password is the same at any time. This method can be said in several anti-theft technology can be described as the most perfect. and the resource server and the Web server can be visited separately. If you want to provide to the friendship station to use, just need to tell him the secret key can.

Five, ultra-heavy---the operation of the use of method four has almost reached the perfect, but the only drawback of the anti-theft method is performance. The general download station is to use the HTTP protocol to provide the download, IIS is very powerful, will be ASP. NET is aware of its three-tier structure, its processing mechanism is very large. As a result, IIS is overwhelmed by the mere download of IIS as a resource server. Like 54star.net This station found, as long as the download of people a little more IIS occupies a very high level of resources, and IIS can be more than the number of concurrent, as long as a certain amount, there will be a variety of problems. such as prompting the server too busy this problem you often meet. So here is recommended to you a new free software: Think up anti-theft chain download dedicated Server software, is http://54star.net/downserver/, this software not only use method four through the key way to prevent hotlinking. What's even better is that it's completely detached from IIS and handles the file download server wholeheartedly. It is the best free software from the download speed, the number of concurrent resources, and other parameters. My friend's music station stabilized all of a sudden after using the system. So it is strongly recommended to make it here to everyone. In addition, this software is written by. net1.1, so it can only be run on windows2000,windows2003 or operating systems that have. NET framework1.1. The file is very small and only 54K, no installation required.

Website resources are hotlinking: prevention methods VS website Resources Anti-theft chain: Cracking skills

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.