IIS Anti-Hotlinking Script

Description

Medium complexity script designed as an extension of a proof-of-concept to show that it's possible to use basic ASP script components to stop images from being hot-linked (linked to and/or used from other website). If hot-linking is detected you can choose the exact image you would like to send in place of the image they requested. Additionally as the script uses only basic ASP components no ISAPI or 3rd party components are required to be installed before you can use this script.

Hot-linking can often be particularly bad for images because they can be reasonably large meaning that a few requests can result in a lot of wasted bandwidth. Why wasted? Because hot-linked images are often being used on other websites, so when a user browses this other site they see your image but don't actually know its come from your server, despite the fact they are using your bandwidth to download it.

As you've no doubt realised this script is effectively acting as a proxy for an image file which physically exists on the disk but which we don't want to link to directly. Instead the ASP script acts as an intermediate layer which is what allows it to detect and stop hot-linking while at the same time managing to dynamically serve the correct image to valid users.

The biggest technical problem associated with this script was initially it appeared that ASP was not equipped to read in binary data from a file and that a 3rd party component would be required, additionally there were also a number of problems with efficiently serving the binary data back to the client dynamically at run-time. Eventually ADO.Stream was found to support both binary reading from the filesystem as well as the ability to pass this data to the ASP Response object as a stream which in turn allowed a very efficient delivery process for both the client and our server.

My motivation behind creating this script was to stop a particularly irritating person who had hot linked a large image from my site and was using it as the background image on her homepage. Needless to say within a few hours of this script going live the hot-linking stopped.

Requirements

• IIS 4/5
• Ability to specify custom error handler pages for IIS to use.
• File System Object.
• Regular Expressions.

Single Compressed Download

• Zip File

Individual Components

• Script source code
• Demo script

Installation & Setup

1. Save all the files into a directory somewhere within your webroot, please include the main script into your custom 404 handler.
2. In your custom 404 error handler page code, add a call to ReDirect_Hotlink before you start the normal handling process - for example in you were using my 404 script you would need to insert this before ReDirect_Handle gets called and have it look something like ReDirect_Hotlink( ReDirect_Source() ). The function takes one string parameter containing a the URL which triggered the 404 - this allows it to work out exactly which image it needs to proxy.
3. Change the image URL inside ImgProxy_Serve() to reflect your choice of replacement image or return status code, by default this we attempt to return /images/nohotlink.gif if we have detected a hotlinker.
4. Change the directory names inside ImgProxy_FixPath() to reflect the secondary non-public location of your images - this isn't revealed to the browser but is needed to allow the script to find the real images.
5. Change the regular expression inside ReDirect_Hotlink() to reflect the public locations of the images, that you want to protect.

User Guide

Assuming you have saved all the files and followed the installation & setup, run demo.asp to verify that image proxying is working. If this isn't working then there is no point attempting to go on further.

Modify ImgProxy_FixPath() if you haven't done so already, now move the images you want to protect from being hot-linked away from their regular directory to a new directory which is not link to directly. This means that you are now linking to files which don't exist which is exactly what we want - any requests for these files will result in a 404 error being generated and as part of this process any attempt at hot-linking the images will be stopped.

Related Links

• Smart 404 handler a custom ASP page designed to act as a replacement for the default 404 error page which ships with IIS 4 or 5. Capable of supporting both temporary and permanent redirects (301 & 302), denies (403) and also virtual aliases if you are running IIS 5 or above.

© evolved code
2000 - 2008