GoFuckYourself.com - Adult Webmaster Forum - View Single Post - ANOUNCEMNET: Movie Anti Hotlinking is Here!

pancake7 · 04-10-2003, 10:01 AM

Just so you all don't get a false sense of security, this can be easily defeated. Let's say you have a page that you have a bunch of hot links on. To get around the AHL protection, just rename your main page, say index.html, to index_frame.html, then create a new index.html that looks like this:

Code:

&lt;frameset rows="0%,100%"&gt;
  &lt;frame name='gallery' src='http://www.antihotlinking.com/demo/gallery.html'>
  &lt;frame name='mypage' src='index_frame.html'&gt;
&lt;/frameset&gt;

Then on your index_frame.html page you can have a link to http://www.antihotlinking.com/demo/demo.mpg and it will work perfectly. What is happening here is that the browser is loading the "approved" page in a hidden frame that the user never sees. They only see your index_frame.html page. Then because they have loaded the approved page in the background, they are fully able to load the video you're linking to. So now when someone hot links to you, they're going to be causing 2 hits instead of 1... one to the main gallery, then another to the movie file itself. Thus increasing your bandwidth usage. BTW, I have seen this in the wild... this isn't just something I came up with myself.

Also, for all those posting thieir stats for number of hot-linkers blocked by the AHL script, think about how many of those might have been legitimate users getting an error.

In short, there is no way to protect against hot-linkers. The best you can do is slow them down, which this script will probably do. Just don't think that it's bullet-proof. And use this information when deciding if $250 plus a per-server fee is worth it. You might be enjoying low-bandwidth for now, but hot-linkers might eventually get around it.

If you want to test this frames tactic yourself, create an index.html file with the code above, then create index_frame.html with the following:

Code:

&lt;html&gt;
&lt;body&gt;
&lt;h2&gt;Anti-hotlinking crack&lt;/h2&gt;

&lt;a href="http://www.antihotlinking.com/demo/demo.mpg"&gt;The hot-linked video file&lt;/a&gt;

&lt;/body&gt;
&lt;/html&gt;

Then load index.html in your browser and click the link. You do still have to click it within 3 minutes, just like the main gallery page.

At the site I work for, we use a rotating temp link. It also can be defeated, but it would take a little scripting on the hot-linkers side, and wouldn't be as easy as just dropping in some HTML. It also works perfectly with our setup of multiple seperate video servers. Again, nothing is bullet-proof, especially not referer-checking.

One last question for x3m. Does your script work with multiple load balanced servers? We have our "gallery" page served off of a load balanced cluster, then the video files are served off of other dedicated video servers. So each request to the gallery page will go to a different server, and the request to the video file itself goes to a completely different set of servers. My guess is that your script is storing the client info on the server, so it only works if both hits go to the same server, which of course won't work for any large scale site using load-balancing like Cisco's Local Directory or a Coyote Point Equalizer. The logistics of sharing the client-info between several servers presents many challenges, especially if those servers are at disparate networks across the world, and the connection between each has its own lag. Let me know what you're thoughts are on this.

Anyways... I'm not trying to discourage any of your from buying the AHL script. It will proabably help in the short run. I just want you to be informed that it's not all that the AHL guys hype it up to be. Make an informed decision.

Thanks

04-10-2003, 10:01 AM
pancake7 Registered User Join Date: Apr 2003 Posts: 1	Just so you all don't get a false sense of security, this can be easily defeated. Let's say you have a page that you have a bunch of hot links on. To get around the AHL protection, just rename your main page, say index.html, to index_frame.html, then create a new index.html that looks like this: Code: <frameset rows="0%,100%"> <frame name='gallery' src='http://www.antihotlinking.com/demo/gallery.html'> <frame name='mypage' src='index_frame.html'> </frameset> Then on your index_frame.html page you can have a link to http://www.antihotlinking.com/demo/demo.mpg and it will work perfectly. What is happening here is that the browser is loading the "approved" page in a hidden frame that the user never sees. They only see your index_frame.html page. Then because they have loaded the approved page in the background, they are fully able to load the video you're linking to. So now when someone hot links to you, they're going to be causing 2 hits instead of 1... one to the main gallery, then another to the movie file itself. Thus increasing your bandwidth usage. BTW, I have seen this in the wild... this isn't just something I came up with myself. Also, for all those posting thieir stats for number of hot-linkers blocked by the AHL script, think about how many of those might have been legitimate users getting an error. In short, there is no way to protect against hot-linkers. The best you can do is slow them down, which this script will probably do. Just don't think that it's bullet-proof. And use this information when deciding if $250 plus a per-server fee is worth it. You might be enjoying low-bandwidth for now, but hot-linkers might eventually get around it. If you want to test this frames tactic yourself, create an index.html file with the code above, then create index_frame.html with the following: Code: <html> <body> <h2>Anti-hotlinking crack</h2> <a href="http://www.antihotlinking.com/demo/demo.mpg">The hot-linked video file</a> </body> </html> Then load index.html in your browser and click the link. You do still have to click it within 3 minutes, just like the main gallery page. At the site I work for, we use a rotating temp link. It also can be defeated, but it would take a little scripting on the hot-linkers side, and wouldn't be as easy as just dropping in some HTML. It also works perfectly with our setup of multiple seperate video servers. Again, nothing is bullet-proof, especially not referer-checking. One last question for x3m. Does your script work with multiple load balanced servers? We have our "gallery" page served off of a load balanced cluster, then the video files are served off of other dedicated video servers. So each request to the gallery page will go to a different server, and the request to the video file itself goes to a completely different set of servers. My guess is that your script is storing the client info on the server, so it only works if both hits go to the same server, which of course won't work for any large scale site using load-balancing like Cisco's Local Directory or a Coyote Point Equalizer. The logistics of sharing the client-info between several servers presents many challenges, especially if those servers are at disparate networks across the world, and the connection between each has its own lag. Let me know what you're thoughts are on this. Anyways... I'm not trying to discourage any of your from buying the AHL script. It will proabably help in the short run. I just want you to be informed that it's not all that the AHL guys hype it up to be. Make an informed decision. Thanks