UPDATE FROM 2007: Port80 Software has actually built this tool, called LinkDeny, and you can download a trial today... So, while the beta failed in concept (read on for the back story), the customer requests for IIS anti-leeching and access control gave way to this tool's creation!
We here at Port80 hear an awful lot of complaints about problems admins need to solve. And while our CEO isn't a fan of telling too many stories about our product ideas (something he read in InfoWorld or somewhere about blogs leaking trade secrets), after a funny incident a few months back that involved pornography site Web administrators, he changed his mind -- why not share something we worked on, but haven't ended up releasing -- especially this diddy.
So, here goes...
Over the years, Port80 has received more than a few inquiries to help solve the idea of bandwidth leeching. We started developing a product to address this, but shelved it later after market interest issues... that's where the PORN comes in (more on that later). Anyway, about bandwidth leeching: the basic idea is that you may have a binary like an image, exe download, PDF, etc. on your site. An unscrupulous competitor might hotlink right to it with code like < IMG src="/200ok/admin/yoursite.com/stolenfile.gif" >, your server downloads the object, and you end up paying the cost of server time and bandwidth for your competitor's visitors. Now you should get the idea of what it is called bandwidth leeching, theft -- bad juju.
Countermeasure-wise, there are a number of techniques one could employ to combat this attack for which an ISAPI filter would be ideally suited. The most obvious is to check the referrer header to make sure that the request is related to a page on your site that image or related object is associated with. Now, the bad guy can easily spoof that by writing a little program that adds that header in so their URL now becomes < IMG src="/200ok/admin/leech.asp?http://yoursite.com/stolen.gif" >, where leech.asp makes the fetch and fakes the headers and such. So, what can you do?
To start combating the more nefarious hotlinkers, an added countermeasure would then be to cookie the user as they enter the site and only serve images to a visitor who has an active cookie. Now, the bad guy can go and fake the cookie as well or even make their fetcher go and grab a new active cookie each time and request with it.
Keep on going with this, and you can envision the generation of random URLs for the dependent objects with various identifications in them and on and on. You can close the leech time window down to make it difficult for the leecher, but you also have trade-offs where legit users might start seeing your 'access denied’ images that you would be sending to the 'bad guys.'
The trade-off, of course, is that you have to make it hard enough to keep out all but the most aggressive evil linkers without hurting other folks. Ultimately, we found it all ends up at detecting human activity versus unfriendly bot activity and trying to decide whether to serve objects or not. However, that is a much more difficult problem that we have yet to solve generally. If so, that product would join the Port80 stable in a heartbeat.
So, if you have read this far, maybe you found anti-leeching an interesting problem or maybe it even happens to you, so why isn't LinkDeny (that is the product's name) in Port80 Software's current product mix -- particularly since it is partially done? Well, that's the racy part.
During LinkDeny's product development, we did a few market tests and found out that the main people who seem to have the leeching problem are some sites being attacked by aggressive eBay auction users lifting images and, ahem... PORN site admins. Now, we have nothing against pornography if that is your cup of tea, but we found out very quickly that porno people aggressively prefer Apache Web servers, not IIS (Bill would be pleased). Our Product Manager remembers an uncomfortable presentation where objects might have been hurled at him at a moments notice for even mentioning Microsoft Web technology to this group. Oh, and the ratio of anti-IIS to pro-IIS folks in this group was 2:1 -- or more like 200:1. So, since we don't develop Apache modules, LinkDeny collects cobwebs for now.
If you think LinkDeny for IIS should come back, let us know. Otherwise, now you know that good pornographers just love Apache -- IIS is just too square for them, man!