LinkDeny: Results for IIS anti-leeching and access control

Posted: February 26th, 2007
Filed under: Uncategorized

LinkDeny has been out on the Net for a few weeks now, and Port80 Software is seeing some interesting uses of the tool in real Microsoft IIS Web server deployments.  Why are admins and Web developers turning to LinkDeny?  Let’s check the top few reasons…

#1 People steal your bandwidth…  Jerks!

You (and/or your team) work hard to build a site or application, and the network infrastructure to support your traffic.  You have success in whatever you are serving (hey, good job!).  Then, randomly, your bandwidth usage shoots through the roof, but you are not seeing any benefit from the increased traffic.  Curious, you start to examine logs and then discover the culprit:  someone has hotlinked the image for your product on, and you are paying for the images they serve to get their orders.  You have been leeched, but how do you solve the problem?  Legitimate users need those images, but you want to stop serving to this freeloader… what is the play?

#2 People slam your site with hotlink requests, creating a DoS-style attack… For shame!

OK, so you have been hotlinked from the guy, but the bandwidth cost is low, so no big deal.  A few days later, bandwidth goes up even more, and you simultaneously start getting warnings that your site is down or takes forever to load.  Nothing changed on your site, so what is going on?  Back to the servers logs, you realize that you are getting bursts of requests for another image, this time from a blog post.  You google around, and discover the blog post is also hotlinking to another image, but this time the requests are being pooled through an RSS feed, fed out to other sites, and now you are not only paying for that bandwidth, but you have to increase your bandwidth limits with your ISP just to keep the site open for legitimate users, as these hotlinkers are hogging up the line.  This is getting annoying…

#3 People just bother you for no good reason… Sigh.

So, you upped the bandwidth limit, because you had to keep serving legitimate users those images – you need to be online for your business.  Still, you know those guys are hogging your bandwidth with hotlinks (and they never respond when you email or call with a “cease and desist” warning), so you let it go…  Until your site is hacked, customer data is stolen, and you are in trouble.  After the dust settles, you discover that some kid in Russia got in through some cross-site scripting magic.  Damn, you don’t have any clients in Russia – why did these guys have to find your site and hack away? 

LinkDeny in the real world

How can you make sure this does not happen again? Obviously, it is time to lock down the Web server – and to make sure that precious bandwidth bills are being spent on legitimate requests, not someone else’s HTML experience with your served image bandwidth.  This is why Port80 Software built LinkDeny – to defeat nefarious hotlinking cold and to make sure that you have a bouncer at the HTTP layer, blocking requests you don’t want (or need) to establish access control for your IIS server. Complementing firewalls and IDS security systems, the software creates an access control bubble around IIS – and really, around one site – to allow for fine-grain access control by request attributes like these:

  • IP address

  • Referring URL

  • Country or geographic location

  • Demographics

  • Length of user session

  • Type of Web browser

  • Existence of cookie

  • HTTP request header type and content

The flexible, rules-based system allows you to dream up just about any method to allow or deny access to content resources, making LinkDeny a powerful security tool for Microsoft IIS Web site administrators and management.

One client evaluating LinkDeny on a medium traffic site for bandwidth control was able to block 2,600 requests by using a combination of default rules in LinkDeny… all in 24 hours!  The nice thing is that he was able to test LinkDeny in production without messing around with real traffic by putting the rules into a “log only” mode…  this is a good approach when you are just starting to test anti-leeching and access control with LinkDeny…

Check out some of these default rules that ship with LinkDeny (this is not the full list, but you can get the idea for this feature — white or blacklist who you like, log it, redirect them, or drop the session with a forced 404):

  • Top Countries with Most Internet Users

  • Top Countries with Longest Surfing Internet Users

  • Top Countries with High Risk for Hacking or Fraud

  • Top Countries with High Risk for Phishing Attacks

  • U.S. Embargoed Countries (think Terrorist Watch List)

  • Top Blog Hosts (Blogspot, LiveJournal, etc.)

  • Top Social Networking Sites (MySpace, etc.)

  • Top Auction Sites (eBay, etc.)

  • Top Anonymous Surfing Sites (Proxify, The-Cloak, etc.)

  • Top Search Engines (Google, Yahoo!, etc.)

  • Top News Sites – General (NYTimes, Slate etc.)

  • Top News Sites – Local and TV (NYPost, Telemundo, etc.)

  • Top News Sites – Financial (SmartMoney, Bloomberg, etc.)

  • Top News Sites – Tech (Slashdot, InfoWorld, etc.)

  • Top Internet Portals (MSN, Amazon, etc.)

  • Allow common Web browsers only rule template

  • Deny images or video without user-agent header present rule template

  • Deny image or video without referrer present rule template

Another client is not concerned with blocking anything, or rather wants to block everything coming into a server, except requests from one very specific IP…  their firewall needs to be a bit more open, so they are using LinkDeny to allow traffic on their network to get to the site, an extranet app, and blocking everything else…

Finally, here is an example of a client with no anti-leeching or access control issues, but who is using LinkDeny to redirect traffic for dead links and selectively redirect the incoming traffic to different new pages based on the HTTP referring site…  very cool.

What do you think about LinkDeny, hotlinking and IIS access control?  We look forward to hearing your comments.  If you have a chance to check out the evaluation guide and the documents – and something does not make sense – just drop us a line so we can get your LinkDeny rules up and running soon on your Web server.


No Comments »

Comments are closed.