Hot Linking (Bandwidth Stealing) is a common cyber attack aimed at exhausting the bandwidth of the targeted victim.
The attacking clients link directly files (usually, images since these are bigger, so most useful for the goal) residing on the victim' site.
The common method for protecting against hotlinking is checking the request, using the HTTP-server provided rewriting tool, in order to avoid the requesting of bulk images from the web site.
In order to verify if a site is susceptible to HotLinking, it could be checked on an online test, like http://altlab.com/hotlinkchecker.php.
Rewriting Rules Configuration
Each HTTP server owns its specific way for addressing rewriting rules. In the following, the most used HTTP server are listed:
1. Apache
Apache allow for turning on the mod_rewrite on every directory, using different configuration, by placing proper directives on .htaccess file. For oppose to common HotLinking, a proper configuration of the directive should be issued in the .htaccess file contained in the image folder.
A simple .htaccess configuration against HotLinking could be the following:
===================>8 CUT HERE 8<============================
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?<my-site> [NC]
RewriteRule \.(jp?g|png|gif)$ http://<my-website>/images/noHotLinking.gif [NC,R,L]
===================>8 CUT HERE 8<============================
where:
- <my-website> is the site to be protected
- images/ is the folder containing the images
- noHotLinking.gif is the alternative images provided to hotlinkers
useful links:
- .htaccess generator: http://www.htaccesstools.com/hotlink-protection/
- prevent-hotlink with .htaccess: https://mediatemple.net/community/products/dv/204644230/prevent-hotlinking-with-a-htaccess-file
- DoS Attack against Apache: https://www.feistyduck.com/library/apache-security/online/apachesc-CHP-5.html
2. Nginx
Nginx needs for turing on Rewrite on the site's config file.
A simple directive against Hotlinking could be the following:
===================>8 CUT HERE 8<============================
location ~ \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ {
valid_referers none blocked <my-website> *.<my-website>;
if ($invalid_referer) {
rewrite \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ <my-website>/images/noHotLinking.gif redirect;
}
}===================>8 CUT HERE 8<============================
where:
- <my-website> is the site to be protected
- images/ is the folder containing the images
- noHotLinking.gif is the alternative images provided to hotlinkers
useful links:
- nginx - Image hotlink protection using rewrite: http://nodotcom.org/nginx-image-hotlink-rewrite.html
3. IIS
IIS needs for turning on URL Rewrite, operating on web.config (both by GUI or direct editing).
A simple web.config file against HotLinking could be the following:
===================>8 CUT HERE 8<============================
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Prevent Image Hotlinking">
<match url=".*\.(gif|jpg|png)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
<add input="{HTTP_REFERER}" pattern="^http://(.*\.)?<my-website>.*$" negate="true" />
</conditions>
<action type="Rewrite" url="/images/noHotLinking.gif" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
===================>8 CUT HERE 8<============================
where:
- <my-website> is the site to be protected
- images/ is the folder containing the images
- noHotLinking.gif is the alternative images provided to hotlinkers
useful links:
- How to prevent hotlinking using URL Rewrite: http://www.it-notebook.org/iis/article/prevent_hotlinking_url_rewrite.htm
Other useful Links (about CMS)
- Drupal (official notes): https://www.drupal.org/node/24963