Re: [tlug] detect fake HTTP referrer

[Attila Kinali <attila@example.com>]

On Wed, 16 Jan 2008 17:11:14 +0900
"Nguyen Vu Hung" <vuhung16plus@example.com> wrote:

> "http://aoclife.ddo.jp/aoc/recs/";
> 
> while
> 
> "http://aoclife.ddo.jp/aoc/recs/";
> 
> got no referrers !

That does not mean anything. Referers are optional and need
not to be set. 
 
> Total traffic of TheLegionClan_AoC_Pack1_1582_Games.zip is 7.7TB.

Wow! In what timeframe did you reach those 7TB?

> I think that some website has put a link to that file, set referrer to
> 
> "http://aoclife.ddo.jp/aoc/recs/";
> 
> so that the request looks "normal". They are stealing my traffic.

I'm not an expert in HTTP, but i doubt that this is possible.
Referers are a client side thing and just some info for the
server where they are comming from.


> Most of the traffic( IP address ) roots to China.
> 
> Anyone has any ideas how to hunt that site down?

Not really. But i have myself lots of trouble with
Chinese not behaving. Like accessing the viewvc
(fancy svn webinterface) a hundred times a a minute
over hours, all comming from  a couple of IPs from
the same subrange. It usualy ends with me setting an
iptables rule to block that region completely.
Yes, i know it's mean and it's not a real solution,
but i don't really have the time and the motivation
to find ways how to specificaly filter out misbehaving people.

			Attila Kinali

-- 
Praised are the Fountains of Shelieth, the silver harp of the waters,
But blest in my name forever this stream that stanched my thirst!
                         -- Deed of Morred