Hey guys, I currently present my mp3s by referencing their file location into a flash mp3 player for the users. Is is possible for users/bots to go onto your site and somehow execute an mp3 continuously and drain bandwidth? If so how can you prevent this? (I program in php). Thanks in advance for any advice.
views:
57answers:
4If your Flash player doesn't (reasonably) cache MP3s on the client side then I'd say that it's time to find a new player...
Yes, it's trivially possible for a bot to do this.
How you prevent it depends largely on how you're presenting the data, but what you probably want is some kind of rate limitation. For example, you could refuse multiple simultaneous requests for data files from the same IP address--or at least limit it to a small number, keeping in mind that some users may share IP addresses.
I suppose that if the flash player downloads mp3 from your server, then, there is a way to download mp3 files from your server.
Which means that, knowing their URLs, bots (or even real users) could download them.
Considering that someone who listens to music using your player should not be downloading more than one mp3 file every 3 minutes or so (well, one shouldn't go faster than music ^^ ), you could put some checks in place, like :
- not allow one to download more than X mp3 files per N minutes -- like more than 5 mp3 files in 3 minutes is odd
- not allow one to download at more than a given rate (like 3MB/minute is probably a lot more than your user need)
- not allo one to download more than 2 or 3 mp3 file at the same time (not likely that someone's going to listen to several songs in parallel ^^ )
This is a very high-level answer as I'm not familiar with the specifics of what you're doing, but there really isn't anything stopping a bot from continuously requesting a file if it can somehow determine where it is stored on the server (the url). As Ignacio suggests, there are some things you can do in the swf source to make sure that it won't continuously request the file, but if they can find the location of the file on the server, they can bypass the swf all together. What I would suggest, is creating some sort of gateway page (in php) that does some sort of check to see if a requested file has been requested by the client (perhaps, IP address*) in the last X minutes. If the check is ok, then the php script could handle the data stream to the client, if not, then it would deny the request and not grant access to the data. That said, you are still vulnerable in the event that they can determine the actual location of the file. You would probably want to configure some server rule to forward all requests that end in .mp3 to the gateway file to prevent direct access.
*It should be noted that if you're going to implement some sort of rate checking, you need to be very careful about how you do it. IP alone is not really good enough because what if you have a bunch of users behind the same NAT gateway (at a corporation for instance) and despite there being, in fact, 20 unique users requesting the same file, the requests are actually only coming from one IP address. Ideally you might use some combination of user-agent data along with an IP address or perhaps some session information.
Hope this helps!