iRule to alert on hotlinking

Something like this should work for you. Just check the Referer header and see if it's from the same domain as the request.

when HTTP_REQUEST {
  if { [HTTP::header exists "Referer"] } {
    if { ! ([HTTP::header "Referer"] starts_with "http://[HTTP::host]") } {
      log local0. "Someone is hotlinking this image.  Uri: [HTTP::uri]; Referer: '[HTTP::header Referer]'";
    }
  }
}

this only checks http:// requests. You'll need to add additional logic to check for https:// urls.

As for alerting, you should be able to setup an alert on syslog to trigger when the above string is added to the log.

-Joe

Joe,

Thanks for the response. On my own I came up with

when HTTP_REQUEST {
                set refer_host [string tolower [URI::host [HTTP::header Referer]]]
                if { ( [matchclass [HTTP::uri] ends_with $::images] ) and ( not [matchclass $refer_host starts_with $::allowed_referers] ) } {
                log "Warning, Hotlinking detected from: $refer_host"
                }
}
 

I just had two questions,

1. If I add a data group list for allowed_referers, how are those input? FQDN? Just host? i.e. example.com, www.example.com, or http://www.example.com

2. what is the significance of "local 0"?

local 0 is the logging level for syslog.. 0 being the highest, 7 the lowest..

 

 

 

 

0 emergencies System unusable

 

1 alerts Immediate action required

 

2 critical Critical condition

 

3 errors Error conditions

 

4 warnings Warning conditions

 

5 notifications Normal but significant conditions

 

6 informational Informational messages

 

7 debugging Debugging messages

 

 

 

As far as the header Referer goes, this header would include the full URL, including protocol. Just like you would see it in the URL field in the browser. For example:

 

http://www.example.com/this/that/theother.jsp

 

 

So, since you are using the URI::host method, this would extract the host and your refer_host variable would be set to www.example.com, if we follow the prior example.

 

 

So, if you were using starts_with, you would have to match all possibilities at the beginning of the URL. ie. www.example.com, example.com, goodstuff.example.com, etc.

 

 

If you are just interested in a domain (example.com), then I would change the operator to ends_with and just specify example.com as a string or put it in your class.

 

 

DeVon

 

I'd try to tailor the iRule (and optionally datagroup) for your exact scenario to minimize the load this would use. If you only have one or two domains that should be referring to your web app and it's only http:// for example, I'd avoid a datagroup and any parsing of the referer header. If it's more complicated than that, I'd suggest using timing to compare the efficiency of parsing the referer header and/or checking against a datagroup.

 

 

Also, the log command accepts a syslog facility as iRuleYou mentioned. If you don't specify the facility, the log messages are throttled:

 

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/log

 

 

There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).

 

 

Aaron