Netpond ™ - View Single Post - Better ways to block by user agent, better ways to stop ripping

raymor · 03-28-2007, 04:50 PM

In regards to the long list of rewrite conditions that
some people use listing hundreds of different rippers:
One simple change in that approach will make it
work a lot better and be MUCH more efficient.
Keep in mind that if. for example, you have a page
with 30 thumbnails that requires 30 requests to
the server and the server has to process the .htaccess
30 times. If you have 200 rippers listed than loading
those 30 thumbs means that the server then has to
look at and compare the user_agent 30 X 200 times.
That's 6,000 comparisons to be done to load just one page.
This is the type of thing why we used to do just fine with
200 Mhz Pentium processors in our servers and now
2600 Mhz machines aren't fast enough at times -
that's an enormous waste of resources.
It also doesn't work very well since it only blocks the rippers
that a) you know about and b) are too stupid to reset their user-agent.
It also breaks security rule #1:
Disallow everything, then allow only that which is needed.

Take a look at your typical .htaccess for a paysite
and you'll see that rule in action:
deny from all
require valid-user
There's no need to try to list every possible user_agent
who shouldn't be allowed to access your members area.
That list could never possibly be kept current anyway.
Instead just list the four or five browsers that SHOULD
be allowed to access. MSIE, Mozilla (including
Firefox and Netscape versions), Opera and Safari.
If you have videos you'll also allow WMP, RealPlayer,
Quicktime and maybe Xine and XMMS for your Linux customers .
Without videos, that means that instead of 200 conditions
you only have 5-7 and instead of doing 6,000 comparisons
you're only doing 150.

Well, Ray, what if some day a new browser comes along that
a lot of people start using and I don't want to have to go back
and update all of my .htaccess? Ok, fine. Still if the user_agent
is IE we don't have to check 200 times to see if it's also a ripper.
Once we know it's IE or Mozilla we can stop checking:
RewriteCond ^Mozilla/[0-9]\.[0-9].*Gecko [OR]
RewriteCond ^Mozilla/[0-9]\.[0-9] (compatible; MSIE [OR]
RewriteRule /* - [L]
Now put your 200 rules here, to be checked only if it's not IE or Mozilla.
BTW, the Mozilla Gecko condition picks up Mozilla,
Firefox, Netscape, and Safari because they all use
the Gecko rendering engine.

Better yet, instead of blockign based on User-Agent, which is only going to catch a
few of the people, just block people who actually ARE ripping by using Throttlebox.

03-28-2007, 04:50 PM	#1 (permalink)
raymor Freelance sys***** and programming guru Join Date: Jan 2004 Posts: 263 Points: 535	Better ways to block by user agent, better ways to stop ripping In regards to the long list of rewrite conditions that some people use listing hundreds of different rippers: One simple change in that approach will make it work a lot better and be MUCH more efficient. Keep in mind that if. for example, you have a page with 30 thumbnails that requires 30 requests to the server and the server has to process the .htaccess 30 times. If you have 200 rippers listed than loading those 30 thumbs means that the server then has to look at and compare the user_agent 30 X 200 times. That's 6,000 comparisons to be done to load just one page. This is the type of thing why we used to do just fine with 200 Mhz Pentium processors in our servers and now 2600 Mhz machines aren't fast enough at times - that's an enormous waste of resources. It also doesn't work very well since it only blocks the rippers that a) you know about and b) are too stupid to reset their user-agent. It also breaks security rule #1: Disallow everything, then allow only that which is needed. Take a look at your typical .htaccess for a paysite and you'll see that rule in action: deny from all require valid-user There's no need to try to list every possible user_agent who shouldn't be allowed to access your members area. That list could never possibly be kept current anyway. Instead just list the four or five browsers that SHOULD be allowed to access. MSIE, Mozilla (including Firefox and Netscape versions), Opera and Safari. If you have videos you'll also allow WMP, RealPlayer, Quicktime and maybe Xine and XMMS for your Linux customers . Without videos, that means that instead of 200 conditions you only have 5-7 and instead of doing 6,000 comparisons you're only doing 150. Well, Ray, what if some day a new browser comes along that a lot of people start using and I don't want to have to go back and update all of my .htaccess? Ok, fine. Still if the user_agent is IE we don't have to check 200 times to see if it's also a ripper. Once we know it's IE or Mozilla we can stop checking: RewriteCond ^Mozilla/[0-9]\.[0-9].Gecko [OR] RewriteCond ^Mozilla/[0-9]\.[0-9] (compatible; MSIE [OR] RewriteRule / - [L] Now put your 200 rules here, to be checked only if it's not IE or Mozilla. BTW, the Mozilla Gecko condition picks up Mozilla, Firefox, Netscape, and Safari because they all use the Gecko rendering engine. Better yet, instead of blockign based on User-Agent, which is only going to catch a few of the people, just block people who actually ARE ripping by using Throttlebox. __________________ Ray Morris support AT bettercgi.com Strongbox- The next generation in website security Throttlebox-The next generation in bandwidth control