Everyone,

Lately I have noticed a massive amount of 1 - 4 second connections in my DNAS logs. These connections reoccur about every 30 seconds and will continue for hours on end. The main players I have seen do this are Winamp and WMP.

I know the stock answer is 'people don't want to listen', but then why does it go on for hours on end; and why is the duration between connections about the length of the standard buffer at my bitrate for each player.

Basically, I am thinking a clever(ish) ripper. Anyone else been seeing this?

Not since I took my streams off the YP. I reported several of them as an attack, and a few went away shortly after that.

If you look at the client, you'll see that it is not really WMP, but an agent that is made to look like WMP, there is certain info missing from the ripper. Compare them to a real WMP connection and you'll see what I mean.

There is also a thread about this many pages back.

good catch. I would have never noticed that info was missing from the player connection unless you pointed it out.

Seems like people are starting to catch on to this. However, because this passes the test as a legitimate player it also floats past my anti rip software.

So, is there any way to stop it.

My ban file grows very large; larger then Saruman's army....

Don't list your stream in the YP? If it is from a different country I would ban the subnet. It would be nice if some kind of automatic filter would be added to Shoutcast to catch and ban these connections. Any connection that repeats at a set interval (T) and repeats X times would get banned for Y hour/days.

Agreed. I am pondering the use of perl to parse the dnas logs looking for repeated connections within x amount of time. If perl hits a positive, then have it add questionable IP to ban list. Have cron run the script something like every 15 min.

It just seems too easy, so I am wondering what I am missing before I try it.

Believe me, I want to unlist my servers. However, I need a quick increase in user base. Though this one server on the yp is causing me more grief than my private server has caused me all year.

I might give it another week and then just pony up the extra cash I need myself...

Or you could just ignore these connections and get on with life. If they start knocking off legitimate users then you can spend a lot of time contacting the ISPs to complain about the attack. Generate a form letter and just stick the offending IP in when needed:

Hello, I am the administrator of the Shoutcast servers at your organization (stream URLs or IPs). This morning I checked the logs and see what can only be some kind of attack on our server from one of your customers. This kind of attack (or whatever it is) has been going around the Shoutcast community for the last several months, and we are not really sure what is going on. Here is a sample of the log:

insert copy of the log with many of the offending connections shown


There is no reason whatsoever that a computer should be trying to connect this often and fail. The user agent is also not correct for Windows Media Player as it is missing the secret info of how to tell ripper from real as discussed above that I see when I connect to our stream with WMP. Please stop/disconnect this person from the internet until they can clean their computer and prove that it is virus free, or that they are no longer running the software that is responsible for this activity. If you have any questions, the easiest way to get in touch with me would be by email. But you can also try me at PHONE NUMBER. Thank You, Greg.



So far this worked fairly well for me, but now we are not listed so it isn't as important. Things in italics need to be filled in for your form letter, and obviously I left out how to tell ripper from real so that they don't make the ripper look more realistic. This needs to be in your complaint letter! If not they may not be able to see why this is an "attack" as opposed to just some moron. I usually connected with a real WMP connection for the sampled part of the log for comparison.