Recently to help a customer to deal with the problem of video chain theft, really be tossed enough. The other party used a small factory CDN, anti-theft chain simply open a Referer check, the results of the next day traffic as usual was brushed burst. A check of the log, good guy, the attacker directly forged Referer head, easily dragged the resources to the bottom of the sky. These days, even the CDN have to “defense teammates”, just rely on the basic configuration really can not top ah.
In fact, video chain theft has long been nothing new, but it has become more and more rampant in the past two years. Blackmail gangs even engaged in automated tools, specializing in scanning sites for anti-stolen chain vulnerabilities. I tested and found that sites that rely solely on Referer authentication, 90% or more can be bypassed - after all, the HTTP header thing, in the client is a little girl to dress up. What's worse, some crawlers directly simulate browser behavior, even Referer are generated for you according to the specification, can not be defended.
A truly effective defense must be multi-layered; referer authentication is the foundation, but it has to be coupled with URL encryption and dynamic tokens. Don't look at these two tricks old-fashioned, used correctly can carry most of the attacks. Especially the time-sensitive token, I used to use SHA256 as a signature, the client IP, timestamps, resource paths are stirred together encrypted, the expiration time is set to be shorter, even if it is intercepted, it will be invalidated very quickly.
Don't believe those who say “HTTPS natural anti-theft chain” nonsense. HTTPS can only prevent the middleman snooping, but after the authorization of the request to be stolen as stolen. Last year, there was a case of an educational platform video was raked clean, is because of the use of static tokens in the JS, people directly F12 turned upside down.
On the choice of CDN service providers, I compared three: CDN5, CDN07 and 08Host. CDN5's anti-theft chain configuration is the most flexible, support for custom variable encryption, but the price is high; CDN07's interface is foolproof, suitable for novices, but the advanced features have to increase the money; 08Host price-performance ratio of the absolute, with the WAF integration, but also according to the region set up a different anti-theft chain policy, I Handled by the small and medium-sized projects eighty percent with it.
There is one pitfall to be aware of when actually deploying: don't use explicit parameters in the URL for permission checking! I've seen people stuffing the userId directly into the URL, and the result was traversed to crawl through all the user videos. The correct approach is to put the verification logic on the edge of the CDN node, using variable mapping relationships. For example, CDN07's configuration background can set the edge function to directly verify the validity of the token:
Here's another tip: video slicing with forensics is more secure. Slice large files into ts segments and authorize each segment individually. Although it adds a little delay, the security factor is doubled. Once a customer was stolen chain, because of the use of slicing + dynamic token, the attacker only dragged away 5 minutes of content by the token failure mechanism to stop, the loss is directly controlled within the threshold.
Finally, the industry is in disarray. Some CDN vendors to the basic anti-chain theft blown sky-high, in fact, even the timestamp replay attack can not prevent. If you really want to do high defense, you have to see whether the service provider supports key rotation, whether to provide real-time monitoring of chain theft. 08Host in this piece of work is quite real, the background can directly see the attempt to steal the chain mapping, and even the source of the attack AS number are labeled out for you.
To be honest, there is no one-size-fits-all solution for security. I weekly spot-checked the logs of the client's website to prevent chain theft, and sure enough, I have found a few abnormal requests: some use overseas proxy IPs, and some specialize in picking the early hours of the morning to try to find out. Now simply wrote a script to automatically black anomalous Pattern, combined with CDN5 API real-time update blacklist. This set of combined punches down, the last six months and then no successful cases of chain theft.
In short, chain theft is like a cat and mouse game, the core idea is to increase the cost of the attack. referer authentication is the first door, URL encryption is the second, dynamic tokens is the third. The three lines of defense are superimposed + regular strategy adjustments, in order to let the chain thieves feel that gnawing on this piece of bone you might as well go to find a softer persimmon. After all, the video copyright is real money to buy, was stripped bare but even pants are not left.
