IP Ban List Stream Ripper

[feelo24]

I have some joker who has been ripping my stream, however, I have banned his IP, but it looks like he has a stream ripper program that continues to try and connect, as my server keeps posting IP in ban list, disconnecting over and over again. I am posting here so that you may be aware of this person's IP address in case you see him in your servers.

<01/25/04@14:34:39> [dest: 24.199.250.146] starting stream (UID: 216)[L: 4]{A: Streamripper/1.x}(P: 3)
<01/25/04@14:35:08> [dest: 192.168.1.1] kicked and banned with mask 255
<01/25/04@14:35:08> [dest: 24.199.250.146] connection closed (29 seconds) (UID: 216)[L: 3]{Bytes: 368640}(P: 3)
<01/25/04@14:35:10> [dest: 24.199.250.146] IP in ban list, disconnecting

[djmastermind]

Good job banning them. Thanks for the information.

[feelo24]

For anyone who is interested I have found free software that does an IP lookup and tells you everything regarding that IP address as well as the internet provider and their information for contacting them for abuse. If any of you are interested pm me and I will email it to you. It is called IP lookup.

I used it to send this guys IP an email regarding his abuse.

Thanks

[DJ Killer]

FYI roadrunner's ip's are dynamic, so a ban of longer than a month may cause a non-ripping user to be blocked.

[djmastermind]

Actually, mine is static and I use Roadrunner. I don't believe that we asked specifically for a static IP, either.

[DJ Killer]

thats because you havent reset your modem or they just know how to manage a network, in general after 30 days the ip is reset, if they come back on, ban it again. I need to automate this task, but i have other pressing engagements :P

[DJHotIce]

honestly... My IP hasn't changed in about 8 months! And I don't have a static service offered to me. Funny it keeps the same IP even when I release and renew!

[DJ Killer]

um thats local ip, not outside... lmao, only your router can renew and release the external ip

[jackherer]

Erm, you can renew and release your Internet IP manually on some routers (d-link for one). Some cable providors will give you the same ip over and over unless you change the mach address of the WAN port on the router (or change the router).

[Vchat20]

hey. i got roarunner as well. we are supposed to have a dnamic ip, but its never changed since we first got it back in une of last year. and i have reset the modem many times.

EDIT: btw, i dont know if this idea will fly or not. as well, i dont know if anyone has prposed it yet, but what about a global stream ripper ip database? where it will list up-to-date ip's of known streamripper's to the public so people can keep their banlist file updated.

[djmastermind]

Personally, I think it's a good idea. But I see some cons that one might think to bring up:

If this list is made and stations block these IPS as their added, they won't ever be able to listen innocently.

It's also just kind of rude to place a list of IPs and tell everyone to ban them.

[Vchat20]

well, a few of those cons can be overcomed easily. #1, people do not HAVE to ban these ip's. for some people they can be used as a double check. so that if they see someone logged in to their stream for hours or more at a time, they can check that ip against whats listed on the database. if it's there, they know to ban it. and as far as banning innocent ip's, a few things could be required for verification before the submitted ip get banned. as far as past stream rippers that were banned. if they want to be unbanned (say they stopped ripping and went innocent), they could contact the people at the global database. they will be unbanned, but if they streamrip anymore, they get banned once more and get a much more nastier banning this time around (either no unbanning ever again or something else).

[djmastermind]

I definitely see your points. I actually do think that it's a wonderful idea, but I don't think that it will always be used properly or that others will be for it.

Keep in mind that some IPs are dynamic as well.

[DJ Killer]

im working on Project X which should solve this, but more important events have thrown this to the backburner

[madmick]

I don't often resort to personal attacks or details,but when a banned ip starts sending e-mails with malicious attachments then I feel obliged to inform others.

The IP in question
151.29.255.172
I have also sent an e-mail to his service provider based in Italy.




Caroline Trance Radio B'ham ..Uk

[Jay]

Quote:

Originally posted by Vchat20
btw, i dont know if this idea will fly or not. as well, i dont know if anyone has prposed it yet, but what about a global stream ripper ip database? where it will list up-to-date ip's of known streamripper's to the public so people can keep their banlist file updated.

this is a bad idea, exactly what methods will be employed to determine that an ip is in fact ripping? What stops a paranoid operator from banning anything looking suspicious to them? Typically streamrippers rip because they like the content you play they will not typically visit more then 3 or 4 stations. Nor will they typically go outside the boundries of their taste. This idea is aken to a blacklist and typically blacklists hurt more innocent people then guilty. Also if someone really wants your stream and doesn't want to be notice they can setup recording software to mask it's identity and carefully use your rules against you.

[EDIT clarified what I was responding to with a quote. -KXRM]

[madmick]

Well paranoia has not set in as yet,and whilst I do not believe in ripping,I am not totally adverse to it,given certain criteria.
a)The ripper uses one facility not two
winamp+freeamp does arouse my suspicions,
and since I pay for the slots this can be annoying.

and to quote you if I am not mistaken it is better to play to people who want to listen then a machine that does nothing else but drain resources.

In this instance the ip in question was banned previously and allowed back,I do allow banned ips back on; I have never banned permanently.

The situation this time is the malicious E-mail which had an attachment which my mail server banned because it was malicious.
This I draw the line at.

[madmick]

oops done twice

[Jay]

I was not responding in regards to your post, I was responding to this idea of a ban list db thing.

[madmick]

My apologies I just realised it was not directed at me.

[BMAXRadio]

Does this behavior appear to be a stream ripper? Both IPs are located in the Netherlands... I just banned them both.


<02/20/04@07:57:17> [dest: 129.11.30.78] starting stream (UID: 21546)[L: 4]{A: WinampMPEG/2.9}(P: 4)
<02/20/04@08:05:41> [dest: 129.11.30.78] starting stream (UID: 21547)[L: 5]{A: FreeAmp/2.x}(P: 3)
<02/20/04@08:05:43> [dest: 129.11.30.78] connection closed (2 seconds) (UID: 21547)[L: 4]{Bytes: 286416}(P: 3)
<02/20/04@08:06:08> [dest: 129.11.30.78] starting stream (UID: 21548)[L: 5]{A: FreeAmp/2.x}(P: 3)
<02/20/04@08:06:24> [dest: 129.11.30.78] connection closed (16 seconds) (UID: 21548)[L: 4]{Bytes: 509952}(P: 3)
<02/20/04@08:09:38> [dest: 129.11.30.78] starting stream (UID: 21549)[L: 5]{A: FreeAmp/2.x}(P: 3)
<02/20/04@08:14:02> [dest: xx.xx.xx.xx] kicked
<02/20/04@08:14:02> [dest: 129.11.30.78] connection closed (1005 seconds) (UID: 21546)[L: 4]{Bytes: 16298288}(P: 4)
<02/20/04@08:17:40> [dest: 129.11.30.78] starting stream (UID: 21550)[L: 5]{A: WinampMPEG/2.9}(P: 5)
<02/20/04@08:18:03> [dest: xx.xx.xx.xx] kicked
<02/20/04@08:18:03> [dest: 129.11.30.78] connection closed (505 seconds) (UID: 21549)[L: 4]{Bytes: 8345141}(P: 3)
<02/20/04@08:18:03> [dest: 129.11.30.78] starting stream (UID: 21551)[L: 5]{A: FreeAmp/2.x}(P: 3)
<02/20/04@08:19:02> [dest: xx.xx.xx.xx] kicked and banned with mask 255
<02/20/04@08:19:02> [dest: 129.11.30.78] connection closed (83 seconds) (UID: 21550)[L: 4]{Bytes: 1536685}(P: 5)
<02/20/04@08:19:05> [dest: xx.xx.xx.xx] kicked
<02/20/04@08:19:05> [dest: 129.11.30.78] connection closed (61 seconds) (UID: 21551)[L: 3]{Bytes: 1233621}(P: 3)
<02/20/04@08:19:05> [dest: 129.11.30.78] IP in ban list, disconnecting
<02/20/04@08:19:06> [dest: 129.11.30.78] IP in ban list, disconnecting
<02/20/04@08:19:08> [dest: 129.11.30.78] IP in ban list, disconnecting


==============

<02/20/04@09:44:37> [dest: xx.xx.xx.xx] kicked
<02/20/04@09:44:37> [dest: 80.133.227.37] connection closed (344 seconds) (UID: 21645)[L: 2]{Bytes: 5780328}(P: 2)
<02/20/04@09:44:41> [dest: xx.xx.xx.xx] kicked
<02/20/04@09:44:41> [dest: 80.133.227.37] connection closed (297 seconds) (UID: 21646)[L: 1]{Bytes: 5015552}(P: 3)
<02/20/04@09:44:41> [dest: 80.133.227.37] starting stream (UID: 21647)[L: 2]{A: FreeAmp/2.x}(P: 0)
<02/20/04@09:44:55> [dest: 80.133.227.37] starting stream (UID: 21648)[L: 3]{A: WinampMPEG/2.9}(P: 3)
<02/20/04@09:45:04> [dest: xx.xx.xx.xx] kicked and banned with mask 255
<02/20/04@09:45:04> [dest: 80.133.227.37] connection closed (22 seconds) (UID: 21647)[L: 2]{Bytes: 621720}(P: 0)
<02/20/04@09:45:05> [dest: 80.133.227.37] IP in ban list, disconnecting
<02/20/04@09:45:06> [dest: xx.xx.xx.xx] kicked
<02/20/04@09:45:06> [dest: 80.133.227.37] connection closed (12 seconds) (UID: 21648)[L: 1]{Bytes: 397601}(P: 3)
<02/20/04@09:45:06> [dest: 80.133.227.37] IP in ban list, disconnecting
<02/20/04@09:45:08> [dest: 80.133.227.37] IP in ban list, disconnecting
<02/20/04@09:45:09> [dest: 80.133.227.37] IP in ban list, disconnecting


==============

[Jay]

yup probably

[rockgod]

http://webcasteru.com/sam2_snippets/ban_rippers.php

this is a php script that floated around on the Shoutcast mailing list. It will auto ban streamripping programs and you can add to the list if new ones arise. Just open up the php page after you upload it to your webserver and leave it open it will refresh every 30 seconds or you can adjust the refresh rate to whatever you wish.

[BMAXRadio]

I'm sorry, but I don't quite understand exactly how that works. Would I download that php page, and upload to my webspace... in any directory? Do I have to modify any part of that php file before doing so?

Are they are any other preventative stream-ripping programs/scripts out there?

[rockgod]

go to http://webcasteru.com/sam2_snippets.php to get the code. just copy and paste the code to a text file put in your server info then rename that text file ban.php and upload to your webserver. Then open that page.


edit this part:

// Server configuration
$server = 'my.server';
$portnumber = 'my.port';
$username = 'my.shoutcast.username';
$password = 'my.shoutcast.password';

[BMAXRadio]

Okay, I've got it up and running. It works with the programs listed in the php file, but a ripping program called "ripcast" shows up as Winamp 2.7. In the list of known ripping programs, can I just enter: "2.7" (since putting "winamp" will ban all winamp users)?

// Check is case insensitive and partial, so don't put "winamp" as this will ban all listeners using Winamp
$knownrippers = array ("Streamripper", "FreeAmp", "UnknownPlayer", "Pathfinder", "sr-POSIX/1.32","andycadd1","AmiNetRadio","UPLAYER","HiDownload", "jake" ,"JetAudio" ,"TotalRecorder");

[rockgod]

This is what I have in mine. It will not ban all "winamp" as I am using this exact setting:

// Array of user agents to look for.
// Check is case insensitive and partial, so don't put "winamp" as this will ban all listeners using Winamp
$knownrippers = array ("Streamripper", "FreeAmp", "UnknownPlayer", "Pathfinder", "sr-POSIX/1.32","andycadd1","AmiNetRadio","UPLAYER","HiDownload", "jake" ,"JetAudio" ,"TotalRecorder" ,"BASS" , "WinAmp 4.x" , "WinAmp/2.x");
?>
The script looks for the exact phrases in between the "qoutes"

If you were to just put "winamp" then it would ban all winamp agents.

[ruffdawg]

So maybe instead of having a IP ban list, we could DL that PHP snippet and we could add in all the fake players we see, so that way we can ban only the player, and not the person. This way, if the person does want to listen innocently, he/she can do so.

[BMAXRadio]

Gotcha! Dont' some people still use Winamp 2 on slower computers to listen regularly though (not rip)?

[rockgod]

BMax I dont believe there was ever a winamp release that had 2x or 4x for a release number. The only reason I found that out is because i copied the ips in my ban list to a file and cleared the ban list. I noticed an IP that was using winam 4.x as a player was no using winamp/2x so it made sense he was ripping.

I believe the new ripping programs are allowing a name change for the player so they can try and hide that they are ripping a stream.

[rockgod]

ruffdawg I believe for something like you suggest that it would have to be built in to the shoutcast server itself. Maybe the good people at shoutcast will add that to the next server release. great idea by the way!!

[BMAXRadio]

One last thing... since you're entering your shoutcast login information with password, couldn't somebody just download the php file and see that server login information?

I can't manage to do this so I'm guessing it's not possible.. is this a security feature of a php file?

[rockgod]

Thats the great thing about PHP when they go to View Source all the see is the out-put. Unless I am wrong and I hope not. Maybe Jay can spread a little more light on that subject. He knows more about PHP than me.

[Jay]

the only thing you have to worry about is if your php interpreter goes down then all php code is displayed.

One problem I see with employing this is it gives you guys a sense of security that is false, that script only uses User-Agent strings and we all know how reliable that information is.

[madmick]

When you go to for the "snippets code" I noticed its in html form,is this ok to upload ????


Caroline Trance Stream

[rockgod]

copy an paste the code into a text file then rename the text file to ban.php upload to your webserver then open the page http://mywebsite.com/ban.php

[madmick]

When I open the php from site this is what I get. Is it correct?

(.+)<\/LISTENERS>/", $xml, $regs)) { print "Could not find information. Possible incorrect username or password."; exit; } $blocks = split ("", $regs[1]); array_pop ($blocks); // Loop through each listener foreach ($blocks as $block) { preg_match ("/(.+)<\/USERAGENT>/", $block, $regs); $useragent = $regs[1]; preg_match ("/(.+)<\/POINTER>/", $block, $regs); $pointer = $regs[1]; preg_match ("/(.+)<\/HOSTNAME>/", $block, $regs); $hostname = $regs[1]; print "Known ripper found: "; $ripperfound = false; foreach ($knownrippers as $lookfor) { if (stristr ($useragent, $lookfor)) { $ripperfound = $lookfor; } } // Ripper found. Ban listener. if ($ripperfound) { print "$ripperfound for pointer $pointer. Banning "; $fp = @fsockopen ($server, $portnumber, $errno, $errstr, 30); if (!$fp) { print "failed
\n"; } else { fputs ($fp, "GET /admin.cgi?mode=bandst&bandst=$pointer&banmsk=255 HTTP/1.1\r\nHost: $server:$portnumber\r\nUser-Agent: Mozilla/4.0\r\nAuthorization: Basic ".base64_encode ("$username:$password")."\r\n\r\n"); fclose ($fp); print "successful!"; if ($recipient) { mail($recipient, "Listener banned", "$hostname\n$useragent", "From: $recipient"); } } } else { print "No ($useragent)"; } print "
\n"; } } ?> This surely is not right,looks like my server or I need php

[rockgod]

Did you fill out this part and did you name the file ban.php:

Does your web server support PHP?

// Server configuration
$server = 'my.server';
$portnumber = 'my.port';
$username = 'my.shoutcast.username';
$password = 'my.shoutcast.password';

?

[madmick]

Well its tripod guess not, upgrading server soon and tnx for help,yes i did have the other fields filled in.

[rockgod]

Yea Tripod does not support PHP. Most of the free webhosters dont. May want to consider getting a new cheap hosting company. I got a webhosting company thats got a plan for 5.95 a month, perfect for small stations.