Sunday, February 6, 2011

Preventing Hot-Linking or Leeching

There is a well known phenomenon called as hot-linking or leeching in which pages/content of a particular site refer to content like images, videos, etc from some other sites causing wasted bandwidth and increased server load on the victim site.

This can however be prevented using the REFERER header which the browser uses to specify the original URL from where the request were made. A component/code could check this header to see if the request was made from some other website or from own website or any approved partnering website. Requests from non-approved websites can be blocked by this code.

Assuming that we have a site in which we would like to prevent the leeching of the static content: How do we do this? Well the answer to tackle this issue is different for IIS5, IIS 6 and IIS7 web-servers.

IIS basically has in built capability to handle requests for static content like HTML; JPEG; etc. And for handling additional resource types like ASP and ASP.Net files, ISAPI extensions can be plugged-in to the IIS server. These ISAPI extensions are mapped to resource types like .asp, .aspx, .ascx and whenever request for these resource types comes to IIS, the handling is designated to the appropriate ISAPI extension dll.

If we have a .Net module which prevents leeching or hot-linking from our website, following are the tasks that we would need to do in the IIS servers based upon their versions.

IIS 5.0:- In IIS 5.0, if we wish to prevent hot-linking or leeching for the static content, we can register these static content types with the ASP.NET ISAPI extension. ASP.Net has the ability to serve certain static content but not all like CGI, ASP or other ISAPI extensions. Care must be taken to ensure that only the content types that can be served by ASP.Net is mapped to the ISAPI extension dll.

IIS 6.0:- This server allows creating a wild card mapping so that all requests are passed through ASP.NET extension and whichever ones cannot be handled by it, are passed back to IIS to handle either by itself or via any of the ISAPI extensions.

IIS 7.0:- With its integrated pipeline, this version of IIS offers the best service. You can register your .net module with IIS 7.0 and in the integrated mode all the requests will be passed through this module, before being handled either by IIS itself or any of the ISAPI extensions.

That’s it.

For more details on how to prevent leeching with screen shots, along with the source code as well as impact on performance if all request are routed through (i.e. in case of IIS 6.0), please refer to the following article by Mike Volodarsky, the program manager/Lead for the IIS development

No comments:

Post a Comment