Old 17th March 2014, 15:29   #1
JAROAM
Junior Member
 
Join Date: Mar 2012
Posts: 12
Stream-ripping? Ghost listeners?

Have some folks that're "listening" to my stream for an ungodly amount of time - eight hours, and only that because they time out! Decided to try and look into what these "listeners" are up to.

Seems I can mute the audio and/or even disconnect the stream completely yet these people's listening time continues to roll on even though there's nothing there. I even call these people out over the audio with no avail as their time continues to rack up! Although a couple times they immediately disconnected...interesting.

Seems to be just one address at a time. In some instances, when one "listener" gets booted off after eight hours, another different address almost immediately pops up, so I can't help but think perhaps it's the same person somehow connecting via different addresses.

Some of the addresses are from domains that don't exist. If it's an unused domain, how can someone be listening at that address? Of course if the IP address comes up an actual site, I suppose I don't really know what that means either. Someone in the vicinity of that site's location is listening in?

Am I paranoid? Don't worry about it?

Thoughts?
JAROAM is offline   Reply With Quote
Old 25th March 2014, 22:17   #2
mjbrown
Senior Member
 
Join Date: Aug 2001
Posts: 114
All domain names are mapped to IP addresses, but not all IP addresses are mapped to domain names.

You can plug an IP address into the form at ip2location.com* and get an educated guess at the geographic location of the assignee.

Sometimes the long-term connector is a real listener who left the stream on their office computer while they went home for the weekend. Sometimes it is a stream ripper, just some kid in an Eastern European country padding his MP3 collection. Sometimes it is a web crawler: a content indexing & archiving bot which in this case isn't smart enough to recognize an endless audio stream as something that shouldn't be downloaded in its entirety.

It's up to you to figure out what your policy should be for these "suspicious" long-term listeners. Some people have money and bandwidth to spare, so they don't worry about it. But when you are paying license fees and you only have limited bandwidth, and you have half your listening slots being hogged 24/7 by leeches, no one would blame you for banning IPs any way you can.

Also, maybe this is just paranoia, but I would not put it past a corporate copyright attorney to say that if you didn't take every step you could to block access after noticing long connection times from known streamrip-capable clients (as evident in your server logs), then you had "red flag knowledge" that people were likely "downloading" (making/saving copies) instead of "streaming" (real-time listening only), so you were not eligible to stream under a blanket license. IANAL, though.

You can ban IPs in the DNAS, or using the firewall on the DNAS's host. I did this a long time ago to stop Googlebot (66.249.64.*). With the v2 DNAS you can also create a robots.txt file if you want to ban any bots that obey such files, but I don't know how well this works.

*(not a plug; I use it because Wikipedia does)

Also, the scourge of streamripping is a recurring topic anywhere online broadcasters gather. Not too far down the list of recent threads here, there's this one:
http://forums.winamp.com/showthread.php?t=375367
mjbrown is offline   Reply With Quote
Old 7th May 2014, 20:45   #3
Homer Jenkins
Junior Member
 
Join Date: Aug 2011
Posts: 3
Are the IP addresses 207.244.72.xx?
Homer Jenkins is offline   Reply With Quote
Old 8th May 2014, 04:01   #4
JAROAM
Junior Member
 
Join Date: Mar 2012
Posts: 12
Why yes, yes they are! So what does that mean?
JAROAM is offline   Reply With Quote
Old 11th May 2014, 23:51   #5
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
Looks like they're around Lynn Mass and their ISP is Pea Island. Now I know that some licensing companies are from Mass. If I remember Loudcaster and Loudcity may have been around those areas. If I remember some of the staff was around there.

Could it be something like Sound Exchange or Sony Music? I've actually had them show up when pulling ip's when I used Shoutcast V1. It may have nothing to do with anything or it may have everything to do with it.

Keep an eye out and let us know.

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 14th May 2014, 22:16   #6
dotme
Moderator
 
dotme's Avatar
 
Join Date: Feb 2005
Location: USA
Posts: 4,024
I would subnet-ban them. That 207.244.72.xxx subnet appears to be one that is used as the command and control center for stream ripping software.

It stays connected 24/7 because it's monitoring what you play. When songs on people's "wishlist" play on your station, the command and control center notifies those people's software, which then connects to your server for the duration of the track. So play a popular track, and you may suddenly see dozens of new connections to your stream.

When the song ends, those connections drop.

But "headquarters" remains connected to continue monitoring your songs.

I issued subnet bans today precisely because of this behavior.
dotme is offline   Reply With Quote
Old 17th May 2014, 00:01   #7
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
Doesn't sites like Rad.io, Radiosearchengine use this type of monitoring so when someone types AC/DC for an example they may find stations that have played that artist. Or for a more obscure look up someone who loves true Progressive Rock like Starcastle may try and find stations playing or who have played Starcastle. So if you kick off a monitor IP you could kick off legit actual listeners who simply are using a Radio Search Engine. Yes Streamrippers use this as well, but not all use a control server to relay to the ripper. Some good rippers will actually use Shoutcast's web page itself and don't connect to the station until the user decides to actually listen or record from the station.

Do some experiments and maybe do a 30 minute hit list and see of your swamped. If so try kicking off some of those over 24 hr ip's. You'll eventually figure out who the rippers are.

Good Luck!

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 17th May 2014, 05:17   #8
Bryon Stout
Senior Member
 
Join Date: Feb 2011
Posts: 377
seriously.. who cares about rippers.
Bryon Stout is offline   Reply With Quote
Old 19th May 2014, 14:43   #9
dotme
Moderator
 
dotme's Avatar
 
Join Date: Feb 2005
Location: USA
Posts: 4,024
Quote:
Originally Posted by Bryon Stout View Post
seriously.. who cares about rippers.
People who pay royalties, and people with limited server capacity. Stations who pay royalties are paying extra money to accommodate thievery. One or two, not a problem. But when 100 connect at once to grab a track, and that happens several times a day, the effect is twofold. First, legit listeners can't connect if the server is full. Second, ATH/TLH rises, causing a rise in royalty fees.
dotme is offline   Reply With Quote
Old 19th May 2014, 14:47   #10
DrO
 
Join Date: Sep 2003
Posts: 27,873
so the people who try to do the right thing (as most just don't bother) get shafted even more than normal (which sadly seems to be true of so many other things, but seems to cripple broadcasters disproportionately more than really should be the case).
DrO is offline   Reply With Quote
Old 19th May 2014, 20:52   #11
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
Yes but trying to kill StreamRippers can and often will kill Real Listeners. Hopefully Radionomy will save the day and get a better AutoDj system similar to LiveWebDj or Shout Automation. Or till they do you can join an ad supported program (which often does quite well despite what some people may think) and you'll make money through streaming ads that will pay for your station to be aired legally. I'm not gonna advertise which ad supported program I'm with, but seriously I now make enough through ads that I don't even worry about my station as it sustains its own weight. There is a time you must turn your station into a profit making machine or you'll drown in financial ruin eventually or have to give up your station as I almost had to before I joined an ad supported broadcast program.

I think soon Radionomy will have to make their site easier and more attractive for broadcasters and then everything will be ironed out. In the early days folks recorded from the Radio and that will never stop no matter if you purchase an iRiver Mp3 player/recorder or simply use your sound loop feature on your sound card you can't stop folks who want to record. Its time to move on to Unlimited bandwidth and Ad support.

Best Regards.

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 20th May 2014, 14:38   #12
dotme
Moderator
 
dotme's Avatar
 
Join Date: Feb 2005
Location: USA
Posts: 4,024
Quote:
Originally Posted by voodoohippie View Post
...you can't stop folks who want to record...
But you make yourself a smaller target by following some simple steps. Point is, this latest harvesting system is epidemic. Some broadcasters report spikes of over 1,000 tune-ins for the duration of one song, followed by 1,000 disconnects. Those can be prevented.

Since I issued my subnet ban to the command-and-control center for this software, I no longer see this behavior. That makes me happy. If they move it to a new network, it's easily identified and banned again.
dotme is offline   Reply With Quote
Old 20th May 2014, 14:58   #13
DJ-Garybaldy
Major Dude
 
DJ-Garybaldy's Avatar
 
Join Date: Sep 2003
Location: Harpurhey, Manchester UK
Posts: 1,273
I added the 207.244.72.xxx subnet to all my active shoutcast servers.

I've noticed a sudden drop in the random connects that seemed to be happening.

Quote:
[dest: 71.213.24.92] connection closed (29 seconds) (UID: 109)[L: 4]{Bytes: 184816}(P: 2)
<05/16/14@15:45:57> [dest: 71.213.24.92] starting stream (UID: 110)[L: 5]{A: Windows-Media-Player/12.0.9200.16420}(P: 2)
<05/16/14@15:46:00> [dest: 71.213.24.92] starting stream (UID: 111)[L: 6]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 5)
<05/16/14@15:46:00> [dest: 71.213.24.92] connection closed (2 seconds) (UID: 110)[L: 5]{Bytes: 38164}(P: 2)
<05/16/14@15:46:00> [dest: 71.213.24.92] connection closed (0 seconds) (UID: 111)[L: 4]{Bytes: 24576}(P: 5)
<05/16/14@15:46:01> [dest: 71.213.24.92] starting stream (UID: 112)[L: 5]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 2)
<05/16/14@15:46:02> [dest: 71.213.24.92] starting stream (UID: 113)[L: 6]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 5)
<05/16/14@15:46:02> [dest: 71.213.24.92] connection closed (0 seconds) (UID: 113)[L: 5]{Bytes: 33270}(P: 5)
<05/16/14@15:46:03> [dest: 71.213.24.92] starting stream (UID: 114)[L: 6]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 5)
<05/16/14@15:46:12> [dest: 71.213.24.92] starting stream (UID: 115)[L: 7]{A: Windows-Media-Player/12.0.9200.16420}(P: 6)
<05/16/14@15:46:13> [dest: 71.213.24.92] connection closed (1 seconds) (UID: 115)[L: 6]{Bytes: 39616}(P: 6)
<05/16/14@15:46:13> [dest: 71.213.24.92] starting stream (UID: 116)[L: 7]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 6)
<05/16/14@15:46:14> [dest: 71.213.24.92] connection closed (0 seconds) (UID: 116)[L: 6]{Bytes: 33270}(P: 6)
<05/16/14@15:46:15> [dest: 71.213.24.92] starting stream (UID: 117)[L: 7]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 6)
<05/16/14@15:46:16> [dest: 71.213.24.92] starting stream (UID: 118)[L: 8]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 7)
<05/16/14@15:46:17> [dest: 71.213.24.92] connection closed (1 seconds) (UID: 118)[L: 7]{Bytes: 33270}(P: 7)
<05/16/14@15:46:18> [dest: 71.213.24.92] starting stream (UID: 119)[L: 8]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 7)
<05/16/14@15:46:18> [dest: 71.213.24.92] connection closed (3 seconds) (UID: 117)[L: 7]{Bytes: 83167}(P: 6)
<05/16/14@15:46:18> [dest: 71.213.24.92] connection closed (0 seconds) (UID: 119)[L: 6]{Bytes: 33805}(P: 7)
<05/16/14@15:46:19> [dest: 71.213.24.92] starting stream (UID: 120)[L: 7]{A: NSPlayer/12.0.9200.16384 WMFSDK/12.0}(P: 6)
<05/16/14@15:46:20> [dest: 71.213.24.92] connection closed (1 seconds) (UID: 120)[L: 6]{Bytes: 39616}(P: 6)
<05/16/14@15:46:20> [dest: 71.213.24.92] starting stream (UID: 121)[L: 7]{A: NSPlayer/12.0.9200.16384 WMFSDK/12.0}(P: 6)
<05/16/14@15:46:21> [dest: 71.213.24.92] connection closed (1 seconds) (UID: 121)[L: 6]{Bytes: 14394}(P: 6)
<05/16/14@15:46:21> [dest: 71.213.24.92] starting stream (UID: 122)[L: 7]{A: NSPlayer/12.00.9200.16437 WMFSDK/12.00.9200.16437}(P: 6)
<05/16/14@15:46:22> [dest: 71.213.24.92] connection closed (1 seconds) (UID: 122)[L: 6]{Bytes: 33270}(P: 6)
This is just one example of several hundred that were in the Log files.



Proud USER of RadioDJ since 2010

Online: Twitter - Blog - RadioDJ
DJ-Garybaldy is offline   Reply With Quote
Old 20th May 2014, 16:23   #14
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
71.213.24.92 is Very suspicious. What is weird is that they are using Centurylink and looks to be a residential connection according to http://en.utrace.de which I use frequently to see where my listeners are from and check on suspicious connections. It may be an individual with a sort of streamripper that scans favorite stations for artist or song that they want to hear/record. It is a very crude streamripper program. You could ban IP's like that as well as look for Rockspace Hosting. I've came across some suspicious connections on my Icecast server coming from them. I've even seen that very same IP address you posted on my Icecast server coming out of Salt Lake City but they didn't have multiple start and stop connections but seem to stick around for days.

If you use the software I promote you can at 30 seconds type some text to desplay on their player like ID - yourstation or ID - yoursite and see if that stops them. The software i promote also allows pre recorded shows to be reported song by song as long as your at the helm while you play your prerecorded show. Something to think about if you want to try and snag those rippers making 1,000 connections at once and yet allow the entire song to play as well as help you discover who is ripping for a normal person would stay until the song is over.

Just a thought.

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 20th May 2014, 16:33   #15
DJ-Garybaldy
Major Dude
 
DJ-Garybaldy's Avatar
 
Join Date: Sep 2003
Location: Harpurhey, Manchester UK
Posts: 1,273
Quote:
Originally Posted by voodoohippie View Post

If you use the software I promote you can at 30 seconds type some text to desplay on their player like ID - yourstation or ID - yoursite and see if that stops them. The software i promote also allows pre recorded shows to be reported song by song as long as your at the helm while you play your prerecorded show. Something to think about if you want to try and snag those rippers making 1,000 connections at once and yet allow the entire song to play as well as help you discover who is ripping for a normal person would stay until the song is over.

Just a thought.
I find Altacast (Edcast Clone) is quite good for streaming with as it has an option in the metadata settings that allows you to change the stream title 30 or so seconds after the track changes in the automation software I use.



But also having a list of IP's that need banning is better.

I decided to start one on my blog if anyone knows any that need adding let me know!

Thanks for the heads up on the 207.244.72.xxx range @dotme

(Oh Voodoo can you stop going on about the software you promote? It's beginning to sound like spam now)



Proud USER of RadioDJ since 2010

Online: Twitter - Blog - RadioDJ
DJ-Garybaldy is offline   Reply With Quote
Old 21st May 2014, 07:22   #16
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
No problem. Just want to say that any software that allows you to enter metadata 30 seconds before the end of the song will possibly stop a ripper. If not stop it deter one from ripping any more. Nothing is 100% however.

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 27th May 2014, 08:35   #17
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
many rippers are tailored to use events such as metadata updates to to begin writing new files... i have a few scripts that when combined, do a half decent job. the first one matches against the name of the user agent.. if it matches any strings you specify, ban them.

the second one will change the song title to 'whatever' and then back again, and you can set the frequency... if your interested let me know and ill dig for them and/or just write one fresh.
dopelabs is offline   Reply With Quote
Old 27th May 2014, 18:39   #18
voodoohippie
Senior Member
 
Join Date: Jun 2009
Location: Elizabeth City, NC
Posts: 214
Send a message via Yahoo to voodoohippie
You could set up a Dripbox account or any number of FREE file sharing accounts then upload it and post the link. That way many Shoutcast users can benefit. Maybe Radionomy will use this in their future development of their platform. Just a suggestion.

Great Broadcasting Software Windows XP/7/8
http://nextkast.com

For Progressive Rock, Classic Rock http://thelegacy.shorturl.com
voodoohippie is offline   Reply With Quote
Old 28th May 2014, 00:29   #19
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
ill post it up on my github and then post the link
dopelabs is offline   Reply With Quote
Old 28th May 2014, 07:29   #20
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
http://forums.winamp.com/showthread....50#post2996450
dopelabs is offline   Reply With Quote
Old 28th May 2014, 08:53   #21
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
Quote:
Originally Posted by DOTME View Post
Some broadcasters report spikes of over 1,000 tune-ins for the duration of one song, followed by 1,000 disconnects.
this is a bit amusing, and ill have to say... hats off to whoever put that together... thinking about the concepts required to accomplish such a task has provided me with a few ideas i might pursue. (** ponders... i wonder if i can create a proxy with apache that will basically sit in front of the dnas). all the wonderful things apache has to offer, in this case, mod_rewrite, mod_limit_ipconn, and mod_evasive, could be used in techniques described here (http://forums.winamp.com/showpost.ph...50&postcount=5).


Quote:
Originally Posted by JAROAM View Post
Thoughts?
yes a few thoughts...

1. turn off dnslookups
for ever listener that connects, thats AT LEAST one request your shoutcast server needs to make to the system configured dns server for a lookup request. by turning them off, only the ip addresses should appear on the dnas. this can also improve performance by reducing tune in time.

2. dont get 'too' suspect of listeners that are connected for a long time. i think my record is close to 4 months. that doesnt make me a ripper.

3. logfiles can tell you many things. some important ones are user agent, and client ip. use these and see if any match your website logfiles. you can check and see if the tune ins are all preceeded by http requests for a pls file (if you host them on your website), if they are, please refer to the link above and have fun


maybe one day there could be a libapache2-mod-dnas apache mod, or an httpd 'mode' in which all the dnas http handling would be via httpd=nginx

that is all
dopelabs is offline   Reply With Quote
Old 28th May 2014, 18:48   #22
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
also here is the php script that will ban if it matches a user agent specified.

http://nathanskelton.com/blog/?p=765

ps. its old, but with a little tinker it can be modified to support v2dnas simply by adding the sid=# string to the urls in the script
dopelabs is offline   Reply With Quote
Old 28th May 2014, 19:40   #23
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,009
Send a message via Skype™ to thinktink
http://forums.winamp.com/showpost.ph...4&postcount=16
thinktink is offline   Reply With Quote
Old 28th May 2014, 19:49   #24
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
yea... ive never experience this problem before though. my song titles change once an hour minimum and i also provide direct download access to the entire library, so im not sure why you would even want to rip =]
dopelabs is offline   Reply With Quote
Old 6th June 2014, 10:36   #25
DJ-Garybaldy
Major Dude
 
DJ-Garybaldy's Avatar
 
Join Date: Sep 2003
Location: Harpurhey, Manchester UK
Posts: 1,273
Has anyone ever seen this in their SC logs?

Quote:
[dest: 199.xx.xx.xxx] starting stream (UID: 2)[L: 2]{A: dummy}(P: 1)
Never seen the user agent say A: dummy before.



Proud USER of RadioDJ since 2010

Online: Twitter - Blog - RadioDJ
DJ-Garybaldy is offline   Reply With Quote
Old 8th June 2014, 04:12   #26
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
there are many tools which one could use that have the ability to specify custom user agents...

code:
curl -A dummy -o file.mp3 http://serverort
dopelabs is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Discussions

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump