tags:

views:

57

answers:

4

Hey guys, I currently present my mp3s by referencing their file location into a flash mp3 player for the users. Is is possible for users/bots to go onto your site and somehow execute an mp3 continuously and drain bandwidth? If so how can you prevent this? (I program in php). Thanks in advance for any advice.

+1  A: 

If your Flash player doesn't (reasonably) cache MP3s on the client side then I'd say that it's time to find a new player...

Ignacio Vazquez-Abrams
what do you mean by cache on the client side? You mean once the mp3 downloads it then is part of your browser memory and does not need further download?
Scarface
That is correct.
Ignacio Vazquez-Abrams
I use nifty player, do you have any others that you have encountered as useful?
Scarface
I don't really do Flash, so I'm the wrong person to ask.
Ignacio Vazquez-Abrams
Thanks anyway .
Scarface
+1  A: 

Yes, it's trivially possible for a bot to do this.

How you prevent it depends largely on how you're presenting the data, but what you probably want is some kind of rate limitation. For example, you could refuse multiple simultaneous requests for data files from the same IP address--or at least limit it to a small number, keeping in mind that some users may share IP addresses.

JSBangs
How do you accomplish something like that though in php?
Scarface
EDIT: how do you accomplish that through server configuration.
Scarface
+3  A: 

I suppose that if the flash player downloads mp3 from your server, then, there is a way to download mp3 files from your server.

Which means that, knowing their URLs, bots (or even real users) could download them.

Considering that someone who listens to music using your player should not be downloading more than one mp3 file every 3 minutes or so (well, one shouldn't go faster than music ^^ ), you could put some checks in place, like :

  • not allow one to download more than X mp3 files per N minutes -- like more than 5 mp3 files in 3 minutes is odd
  • not allow one to download at more than a given rate (like 3MB/minute is probably a lot more than your user need)
  • not allo one to download more than 2 or 3 mp3 file at the same time (not likely that someone's going to listen to several songs in parallel ^^ )
Pascal MARTIN
I am streaming my mp3s in a player on each userpage. How could you implement those checks in php?
Scarface
@Scarface: You wouldn't. You'd do it in the server itself.
Ignacio Vazquez-Abrams
I am kind of noob at administering my server right now, as I am a fairly new developer and have not had much time to educate myself. Do you modify the htaccess file in some way to do this?
Scarface
Bandwith limitation can probably be done on the server level ;;; for the limitation on number of files per minute, you'll probably have to code something ; a possibility would be to have your mp3 content served by a PHP script, which would mean you being allowed to implement that kind of checks, log what's accessed, ...
Pascal MARTIN
that is what I will do thanks Pascal, for bandwidth limitation however, is that done in htaccess?
Scarface
I don't think this'll be that easy : afaik, there's no bandwidth limitation, by default, in Apache -- which means you might have to play with some modules like mod_bw or mod_bandwidth
Pascal MARTIN
+1  A: 

This is a very high-level answer as I'm not familiar with the specifics of what you're doing, but there really isn't anything stopping a bot from continuously requesting a file if it can somehow determine where it is stored on the server (the url). As Ignacio suggests, there are some things you can do in the swf source to make sure that it won't continuously request the file, but if they can find the location of the file on the server, they can bypass the swf all together. What I would suggest, is creating some sort of gateway page (in php) that does some sort of check to see if a requested file has been requested by the client (perhaps, IP address*) in the last X minutes. If the check is ok, then the php script could handle the data stream to the client, if not, then it would deny the request and not grant access to the data. That said, you are still vulnerable in the event that they can determine the actual location of the file. You would probably want to configure some server rule to forward all requests that end in .mp3 to the gateway file to prevent direct access.

*It should be noted that if you're going to implement some sort of rate checking, you need to be very careful about how you do it. IP alone is not really good enough because what if you have a bunch of users behind the same NAT gateway (at a corporation for instance) and despite there being, in fact, 20 unique users requesting the same file, the requests are actually only coming from one IP address. Ideally you might use some combination of user-agent data along with an IP address or perhaps some session information.

Hope this helps!

Chris Thompson
Thanks Chris that was a very informative and useful comment, really appreciate it. When you talk about using a gateway page, do you have any ideas on how that would work. For example, if I reference a gateway page in my flash player will it actually access that page?
Scarface
Glad it was useful! Check out the third post (the one by rogem002) on this page http://www.webmaster-talk.com/php-forum/167948-streaming-mp3-audio-stream-through-php.html The OP asked a similar question (although different motivations). Note that the first response (second overall post) which references javascript-based options will not work because a bot would bypass that all together.
Chris Thompson
thanks again chris I found this which seems sufficient and basically does everything you suggested. I looked through the thread you suggested and it got really complicated lol, plus they mentioned some problems which I did not know the solution to. Check this out tell me what you think http://www.codewalkers.com/c/a/Miscellaneous/Using-PHP-to-Stream-MP3-Files-and-Prevent-Illegal-Downloading/2/
Scarface
also would you recommend taking the same steps for image serving
Scarface
The description at that link is more or less exactly what you need. The steps you would go to would just depend on the level of security you wanted to provide. The same idea would work for image serving, although the steps needed to display the image would be slightly different than with the swf example (obviously :-) )
Chris Thompson
Thanks Chris for your time. I always appreciate someone who follows up with me and answers my stupid questions. This helps me have a good understanding of what I am doing afterward. Thanks again.
Scarface
No problem! I'm happy to help. Your questions were far from stupid. We all have to start somewhere and what your doing is certainly nontrivial. Good luck!
Chris Thompson