Adblock Plus and (a little) more

Why you really should not hotlink · 2007-04-24 06:13 by Wladimir Palant

If you run a web site, you probably see this occasionally as well — people use your images, and instead of copying them over to their own servers they simply hotlink to your server. Now I don’t mind it when people use my images, nothing really worth protecting here. But I don’t like it when they start stealing my bandwidth and spamming my access logs.

So far it has been mostly forums. That’s annoying of course, but people posting in these forums simply don’t know better and there aren’t many hits anyway. Today however I saw that a particular Italian site published news on the Adblock Plus 0.7.5 release and simply hotlinked to the image from my first page. This created over a thousand hits in my access logs on just one day. Too bad for them because I reconfigured my web server now to redirect these requests to this little gem (courtesy of hetemeel.com). I wonder how long it will take them to notice this.

And that’s the interesting part about hotlinking — if you hotlink to images on another server there is no guarantee that these images won’t change. John McCain had to learn it the hard way by involuntary changing his opinion on gay marriage. It is defacement but in this case it isn’t even illegal since you are allowed to do with your content whatever you want.

But that isn’t all of it. As pdp notes over in his blog, you can use sites hotlinking to you for running attacks on other web servers. You can redirect your images to any address you want, and all visitors of the hotlinking site will request this address. You could run Denial-of-Service attacks or SQL injection, and the address of your web site will not even be visible in the logs of the site being attacked.

So, if you decide to use other people’s content like images, scripts or styles — upload them to your server so you are sure they won’t change. When you are hotlinking you never know what will be on the other end of the link tomorrow.

Edit (17:32): They noticed now. The image has been replaced by another screenshot that they uploaded to their own server this time.

Tags:

Comment [8]

  1. Jesse Ruderman · 2007-04-24 09:38 · #

    Here’s another fun hotlinking story: http://ascii.textfiles.com/archives/000278.html

  2. Doomguy · 2007-04-24 12:53 · #

    on the other hand, taking a copy and publishing it on your own site can be illegal…

    Reply from Wladimir Palant:

    I doubt hotlinking solves any legal issues. Theoretically anybody using my images should ask for permission first, but so far nobody did.

  3. vi · 2007-04-24 21:16 · #

    There should be some server-side solution to this problem. Like implementing a policy of coherence, so to speak – this specific media file can be used only from within specific list of pages. I am not sure if that can be done with the current protocols within the current internet framework. In the case it is not posible, obviously, new protocols and new framework are needed.

    And another issue, totally off the topic, – this is my lazy way of delivering the message.
    Adblock Plus should not do any filtering on FireFTP or any other add-ons with “content”.
    I spent almost a day before I realized that when I upload (via FireFTP)an image named /*banner*/ the whole remote side listing disappears and I cant get back to the root without closing FireFTP.
    Adblock is great.

    Reply from Wladimir Palant:

    There is a server-side solution – you check the HTTP header Referer and deny the image unless it is correct. Some servers take this approach, but usually you don’t want to do this because it will cause inconvenience for users who have the Referer header changed by a firewall or similar. Unless of course some site starts being really annoying…

    As to FireFTP – I don’t know what it is doing there, must take a look. Usually you would want to filter content other extensions are showing because of RSS readers and the like.

    Reply from Wladimir Palant:

    Ok, I see… I probably should set moz-icon protocol scheme on the whitelist. You can do it yourself before a new version is released, add “moz-icon” at the end of the list in the extensions.adblockplus.whitelistschemes preference.

  4. DS · 2007-04-26 05:57 · #

    Here´s the solution http://www.imgred.com/ (this is not spam)niiiiiice solution… just add the direction above to any link and …. hmmm blablablabla… “Well ImgRed.com lets you simply enter the original URL in your post as you normally would, but with http://imgred.com/ written before the URL. When this is viewed, the image will be copied once to imgred.com, and from then on the image will always be served from imgred.com instead of the host site. Additionally, a thumbnail is automatically generated, which can be accessed by adding http://imgred.com/tn/ before the original URL.”

    Your´re welcome
    Enjoy :)

  5. Simon · 2007-04-28 02:45 · #

    Hahahaha!! this sure was funny, I mean its not, but the way you brought it to us…

    This is exactly what I do with my scripts, not really mine… just check it and you’ll see.

    My scripts: http://userscripts.org/users/21222;scripts

    By the way, I think that I could put Google in place, lol

  6. Roy Gathercoal · 2007-05-20 04:42 · #

    I am a bit confused. This should not come as a surprise in that most of what I find on the Internet these days confuses me.

    re: hotlinking.

    Is what you are talking about substantively different than inserting a webaddress in a blog? (the ubiquitous “here”).

    I’m not sure I understand why a web page should not link to another web page but there is no problem for a blog doing it—it would seem there are many blogs receiving much more traffic than most websites do!

    Please forgive me if this question rudely exposes my ignorance of this sort of thing. Thank you for your patience.

    Roy

    Reply from Wladimir Palant:

    The difference is that in case of a link the user must click it consciously. He will only do so if it looks like something he wants to see. Third-party images however are loaded every time somebody views your site/blog. So we are talking about a much higher number of hits on the third-party site. The user doesn’t see that the images are third-party, so you are basically stealing bandwidth from another site without giving it credit. Also, if the image is replaced by something else nobody will know that you didn’t mean to include it (see John McCain’s case).

  7. What about this · 2007-05-26 15:22 · #

    Isnt there a way to make it that your images will only display on your pages. I know of a few sites that do this.

    Reply from Wladimir Palant:

    Sure there is. You can check the Referer header and reject any requests from your images that don’t originate from your sites. But this will cause issues for quite a few users which is why I usually wouldn’t use this technique.

  8. Alexander Gieg · 2007-06-09 19:27 · #

    Another solution is to not exactly block requests without the Referer header, but to redirect these requests to Coral Content Distribution Network. I don’t know for sure how this is done in practice, since I’m very much a newbie in these matters, but the theory is as follow:

    * Allow anyone with a valid Referer header to download the content directly from your site.

    * Allow hotlinking from Coral CDN itself, since it must now and then cache your original content. It doesn’t happen more than once every 5 minutes, and even so, only while people are attempting to reach the content through Coral CDN:

    http://wiki.coralcdn.org/wiki.php?n=Main.Servers

    * If someone without a valid Referer header try to download the content, do an automatic redirect to the coralized version, what is usually done by appending “.nyud.net:8080” to the host name. For example: “http://www.example.com/image.jpg” would redirect to “http://www.example.com.nyud.net:8080/image.jpg”.

    This way, everyone can access the content without that causing problems to your bandwidth. Fast and directly from you if coming from a valid Referer header, slower and indirectly if coming from an invalid Referer.

    It’s a win-win solution, IMHO.

    Reply from Wladimir Palant:

    A redirect requires bandwidth and server resources as well. I don’t want to redirect requests, I want them to stop altogether.

Commenting is closed for this article.