Welcome to WebmasterWorld Guest from 54.225.18.67

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

1900 hits from images.yahoo.com

     
6:04 am on Sep 11, 2012 (gmt 0)

Junior Member

joined:Sept 1, 2012
posts: 86
votes: 0


Yesterday, my website
came under continual attack (DoS?) from a yahoo referrer/user agent listed below. The hits occurred every 10-15 seconds and were continuous when they stopped in the early am. At least 1900 hits (I think).

The is the referrer/ua. (URI etc. changed)

24.190.103.173 - - [07/Sep/2012:02:57:48 -0400] "GET
/cgi-bin/referers.cgi?http://images.search.yahoo.com/images/view;_ylt=A0PDoTHcCUlQh38AzK.JzbkF;_ylu=X3oDMTBlMTQ4cGxyBHNlYwNzcgRzbGsDaW1n?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3Fp%3Dkeyword_one%2Bkeyword_two %26_adv_prop%3Dimage%26va%3Dkeyword_one%2Bkeyword_two%26fr%3Dyfp-t-701%26tab%3Dorganic%26ri%3D122&w=750&h=500&imgurl=www.example.com%2Fpicture_gallery%2Fimages%2Flocation_of_image%2image.jpg& rurl=http%3A%2F%2Fwww.example.com%2Fpicture_gallery%2Fimage_location.html&size=81.9+KB&name=image_title%29&p=keyword_one+keyword_two&oid=c8a97c65e40bca9a6331f36da03145c4&fr2=&fr=yfp-t-701&tt=image_title%2529&b=121&ni=112&no=122&ts=&tab=organic&sigr=123rbb8eu&sigb=14545eqhn&sigi=13aikubif&.crumb=NZ.bhUZyY2s
HTTP/1.1" 404 486
"http://www.example.com/picture_gallery/image_location.html"
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5;
.NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

According to my logs, this user agent seems to want the image contained in the folder www.example.com/picture_gallery//images/location_of_image/image.jpg.

Weird.

Hosting company said no impact to their system because bytes served were low and server was returning 404.

The "GET" references a perl logging script using a 1px by 1px web beacon.

[edited by: incrediBILL at 2:45 am (utc) on Sep 12, 2012]
[edit reason] broke up long referer [/edit]

9:38 am on Sept 11, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


deny from 24.190.103.173
or
RewriteCond %{REMOTE_ADDR} ^24\.190\.(9[6-9]|10[0-3])\.

If you'd like to lessen the innocents?

#UA contains GTB and comes from Optimum WRRNNJ
RewriteCond %{HTTP_USER_AGENT} GTB
RewriteCond %{REMOTE_ADDR} ^24\.190\.(9[6-9]|10[0-3])\.
RewriteRule .* - [F]
6:30 pm on Sept 11, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8981
votes: 409


@slipkid

I wouldn't block 24.190.103.173 because it's a cable ISP and you'd be blocking real visitors.

See if you can block something unique to the UA.
6:41 pm on Sept 11, 2012 (gmt 0)

Junior Member

joined:Sept 1, 2012
posts: 86
votes: 0


@ keyplyr

I kind of figured it had something to do with a user's mouse. Researched the URI and found as indicated that it was coming from New Jersey.

Don't use Google ToolBar... so not familar if it had anything to do with the constant stream of hits.

My pics are the more popular pages on my site, so don't want to exclude them in robots.txt.

I consdier this a one-off problem, and will monitor to see if it happens again.

Thanks all for the help.
9:58 pm on Sept 11, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13840
votes: 485


Yesterday, my website came under continual attack (DoS?) from a yahoo referrer/user agent listed below.

Putting a search engine in the forged-referer slot is a tried and true approach. Most of the time the exact wording is wrong, so you can block them even if you don't want to block the honest users coming in from real searches.

Now, personally I don't care much for yahoo so their image search goes straight into the hotlink bin without checking to see whether it's real or not. But ymmv.

I kind of figured it had something to do with a user's mouse.

Huh. Most people would blame the user's cat. But to each his own :)
11:15 pm on Sept 11, 2012 (gmt 0)

Junior Member

joined:Sept 1, 2012
posts: 86
votes: 0


Partial to dogs, hate cats. Would not give credit to a cat's intelligence to hit a mouse button every fifteen secods...
11:43 pm on Sept 11, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8981
votes: 409



Now, personally I don't care much for yahoo so their image search goes straight into the hotlink bin without checking to see whether it's real or not. But ymmv

I get triple digit daily traffic from Yahoo/Bing/Google image search, but I guess if you don't want traffic coming to your site then blocking them is an alternative. And BTW, once again this has nothing to do with hot-linking, at least not from the major SEs.
2:12 am on Sept 12, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13840
votes: 485


once again this has nothing to do with hot-linking

Your server can't tell the difference between a hotlink and a "google image search sent me". (Uh... You did know that, didn't you? :() They both come through as referers, so any routine aimed at one kind will automatically pick up the other. Which is why at least half of my current hotlink exemptions are for assorted legitimate* google functions. Conversely, certain image directories are roboted-out because I know by direct experience that people aren't interested in the pages; they're just collecting hotlink fodder.


* For a given definition of "legitimate". I know some people have serious issues with Translate, but mine are perfectly respectable and there's no reason to block them.
2:57 am on Sept 12, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


[quote]For a given definition of "legitimate". I know some people have serious issues with Translate, but mine are perfectly respectable and there's no reason to block them. [quote/]

Opinions are like. . . . ;)
6:56 am on Sept 12, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8981
votes: 409


Your server can't tell the difference between a hotlink and a "google image search sent me".

Sure I can because Google does not hotlink my images, at least not what I consider hotlinking. They are doing my bidding :)

I use a script that checks a few things any time a request is made for a file residing on my server from a remote source. It also busts the display of said image if the referrer isn't my site, and the human instantly gets pulled to my page where the image is.
7:35 am on Sept 12, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13840
votes: 485


Sure I can

YOU can. Your server can't. You didn't actually read my post, did you?

the human instantly gets pulled to my page

Well, that's one way to use Image Search to generate traffic.
1:16 pm on Sept 12, 2012 (gmt 0)

Junior Member from DE 

10+ Year Member

joined:June 25, 2005
posts:181
votes: 1


I'm a little confused.

yahoo referrer/user agent

Sorry, but I see neither a Yahoo referrer nor a Yahoo user agent.
2:20 pm on Sept 12, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5460
votes: 3


A0PDoTHcCUlQh38AzK.JzbkF;_ylu=X3oDMTBlMTQ4cGxyBHNlYwNzcgRzbGsDaW1n?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3Fp%3Dkeywor
8:12 pm on Sept 12, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13840
votes: 485


I see neither a Yahoo referrer nor a Yahoo user agent.

Technically you're right. But I think the sample line is a request sent to the OP's analytics program. In that case his own page would be listed as the referer, while the referer for that page would go into the request's query string. Go back a few lines in the logs and you'll find the original page request, with Yahoo in the referer line.
11:26 pm on Sept 12, 2012 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8981
votes: 409



YOU can. Your server can't. You didn't actually read my post, did you?

I read your entire post. I answered it accordingly. You didn't actually read my post, did you? LOL

e.g. my SERVER can tell the difference because of the script I have in place. Sorry, not going into any more detail on a public forum.

Anyway, as stated above, I enjoy the traffic resulting from image searches and do not consider it hotlinking since they have my full approval to do so.
1:10 am on Sept 13, 2012 (gmt 0)

Junior Member

joined:Sept 1, 2012
posts: 86
votes: 0


I see neither a Yahoo referrer nor a Yahoo user agent.


I agree with what Lucy24 has pointed out.

I am still learning how to frame issues on the forum.
3:00 am on Sept 13, 2012 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Apr 4, 2004
posts:180
votes: 1


Goodness. All you need is an .htaccess file and use the RewriteCond %{HTTP_REFERER} bit. Just Google something like stop hotlinking. It's not rocket science.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members