Old 20th May 2014, 00:00   #1
BLCR
Member
 
Join Date: Feb 2014
Posts: 62
Server Getting Slammed

During the last few days we have come across where a couple of our servers... and just a couple of ports on each server (different locations) gets hit by up to 300 or more listeners all at same time. After a few moments they drop off and the stream gets what would be the normal/expected number of listeners. Some times passes by then it happens again.

Might anyone else have this experience, or is there something in the YP that may be making this happen?

We also have a customer who has a server with a different provider where the same is happening.

Thanks for the help.
BLCR is offline   Reply With Quote
Old 20th May 2014, 00:05   #2
DrO
 
Join Date: Sep 2003
Posts: 27,873
have you started to look at where those connections come from? as that is the best starting point (especially since i've not had a chance to disable the YP handling which was mentioned in http://forums.winamp.com/showthread.php?t=377531 on Saturday - though am trying to do that now before i forget again amongst all of the Winamp work that is my focus nowadays).

[edit]
that change in that thread has now been made.
DrO is offline   Reply With Quote
Old 20th May 2014, 14:33   #3
dotme
Moderator
 
dotme's Avatar
 
Join Date: Feb 2005
Location: USA
Posts: 4,024
Quote:
Originally Posted by BLCR View Post
During the last few days we have come across where a couple of our servers... and just a couple of ports on each server (different locations) gets hit by up to 300 or more listeners all at same time. After a few moments they drop off and the stream gets what would be the normal/expected number of listeners. Some times passes by then it happens again.

Might anyone else have this experience, or is there something in the YP that may be making this happen?

We also have a customer who has a server with a different provider where the same is happening.

Thanks for the help.
Solution:

1) Issue a SUBNET ban to this IP range: 207.244.72.0-255 (Ban Whole Subnet option)

2) After you issue the ban, check your listener page for connections that are from 207.244.72.xx - When you find them, kick them. They won't come back because you banned the subnet.

You will decapitate the system. Cut it's head off, and the command and control center can't give marching orders to the end-user software any more.
dotme is offline   Reply With Quote
Old 20th May 2014, 19:35   #4
kqlz
Junior Member
 
kqlz's Avatar
 
Join Date: Dec 2001
Location: Los Angeles, CA
Posts: 19
Send a message via AIM to kqlz
I am getting the same thing from all over the place 300+ at a time.
It last for about 200 seconds or more then they all disconnect at once.
Next hour it starts all over again.

Seems kinda strange.

I knocked my listeners down to 100 from 500 and an hour later all 100 was filled.
All IP's were from Europe.

This has been going on since 5/8/2014.

Not sure what they are trying to do other then run up my royalty and performance fees.
kqlz is offline   Reply With Quote
Old 26th May 2014, 16:28   #5
dopelabs
Major Dude
 
dopelabs's Avatar
 
Join Date: Oct 2006
Location: Silicon Valley
Posts: 531
Send a message via AIM to dopelabs
some log output would be good to know... user agent?... im not sure if its related but... there is an online game mtasa.com that allows people to develop in game apps. its basically gta online but open source. theres a few 'radio' apps that will essentially force anyone within the earshot range to make a request for the pls and tune in...

most of these apps have stations that they developer hardcoded in so they cant change.. some have custom entry by the gamer, etc...

some of these radio apps have used the 'siren' function to basically make what they are listening to heard by anyone within the earshot range of the siren, normally on police etc. so because its not local in game media, now every time a player is in ear shot, a new http get request is made for the pls, and they try and tune in...

if you know that style of game you can imagine a car hauling ass on a heavily populated gaming server and smashing into a crowd of people... if their radio was on.. thats right, they are all asking for your pls and tuning in. because of the nature of that game, you could also see drive byes happen in real time if your tailing the logfile...

and because of the nature of gameplay, its mostly all short lived connections. and if you think about it, the desired effect prob never happens. take into account the time it takes to get the pls file, tune in, buffer, etc, and finally begin local playback. i would bet most of these tune ins never actually hear anything from the stream, or very little.

i have always published a self hosted pls file instead of linking directly to the shoutcast server pls url. thus it seems thats what the developers of the app are using as well. so if you want to try and verify if this is what is happening to you, i would start by looking at your access logs wherever you have your pls file hosted.

BASS/2.4, SA-MP, and MTA:SA are the http user agents im seeing grabbing the pls files by tailing the apache logs...

code:

[26/May/2014:05:32:58 -0700] "GET /listen.pls HTTP/1.1" 200 473 "-" "MTA:SA Server 94.23.95.132:22444 - See http://mtasa.com/agent/"
[26/May/2014:05:34:02 -0700] "GET /listen.asx HTTP/1.1" 200 511 "-" "SA-MP/0.3"
[26/May/2014:05:34:52 -0700] "GET /listen.asx HTTP/1.1" 200 454 "-" "BASS/2.4"



they usually come in groups of about 20+ for me. but i guess it all really depends on what your broadcasting and how populated that server is.

i really didnt notice any negative effects from this, but im also not sure how things would react on a larger scale.

if you are tracking listener stats like hits and average listener time like i am, this would most likely throw all those numbers off.

they could have each stations pls file hard coded in the app. so if the url changes, it would break that station, and they would need to update it again. maybe it calls home to get a fresh list of active stations.

shrug.

just thought i would chime in because the symptoms seem close, just about all the requests are coming from eu ip space.. lots of .ru .hu and so on.

also this

http://forum.mtasa.com/viewtopic.php?f=91&t=73859


i think its bad design to allow anyone (gamer in a car with radio on) to force anyone within earshot to perform an http get request for a pls file.

i was pondering solutions to prevent these tune ins from throwing off my stats.

i did this with apache mod_rewrite/.htaccess on the web server where i host my pls.

here is the entry in my .htaccess

code:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} BASS [OR]
RewriteCond %{HTTP_USER_AGENT} MTA [OR]
RewriteCond %{HTTP_USER_AGENT} SA-MP
RewriteRule .* mtasa.pls [L]



in words,

any request made by user agents containing BASS or MTA or SA-MP will be redirected to mtasa.pls.

the mtasa.pls file is in the web root and contains the url to a dedicated shoutcast server.

so i got to thinking here... ok i can send them to a dedicated server, this also means that i can now control the content independently.
we know they are online games so we can make a good assumption as to the age range, game habbits, etc.. use this to give them that authentic 'radio' experience with targeted advertising.

how about a rick roll every now and then.. maybe a yackitty yack, and dont forget to put on the ritz.... oh, and kittens.

i then began to ponder a bit more... "since the above rewrite example can be used to return any file you want, how about a pls file to a stream thats eq'd to sound like old ass am radio... what happens if i rewrite to a static audio file on the web server.. what happens if that audio file is a format thats not usually found on a streaming server... what happens if i jack the bitrate way up like an uncompressed stream... what happens if i rewrite them to a pls file that has a huge fille size.. like a few gigs.. i wonder what else can be returned to all of these unwilling innocent by-standers... i wonder what fun i could have with netcat,tcpwrappers, and iptables... or a simple php proxy script i wonder if theres a way to tarpit ones connection to the stream as to force their connection to stay open, somehow making it so gamers couldnt turn it off... mwaahahaaa"

and then i think i fell asleep...

i finally went with just went with forcing anyone tuning in from within the game to a dedicated instance of shoutcast, which is set to relay my main feed.
dopelabs is offline   Reply With Quote
Old 28th May 2014, 19:35   #6
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,009
Send a message via Skype™ to thinktink
Quote:
Originally Posted by dotme View Post
...SUBNET ban to this IP range: 207.244.72.0-255 (Ban Whole Subnet option)...
https://www.robtex.com/ip/207.244.72.0.html#records

https://www.robtex.com/dns/hosted-by.leaseweb.com.html

https://www.robtex.com/route/207.244.72.0-24.html
thinktink is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump