I am webmaster of a small website called www.real-songs.com The site is a way for unsigned bands in the Northeast of England to get their music heard and promoted and as such stores around 100 MP3 files of different band's songs. On Friday lunch time the site traffic suddenly spiked with the following file http://www.real-songs.com/mp3Player.swf?mp3File=./Uploads/1f2837001ddc18fc5778db174a813fd1.mp3
being uploaded 9136 times in one hour?
mp3Player does exactly what it says on the tin and is embedded in another PHP generated page that has other information about the track and the band. It's not available directly through the site and is not even visible unless somebody looks at the background code on the site? I can find no errors in the code that would continually download the song, just downloads once using about 7mb of bandwidth

The attack appears to have originated in the network of Orange UK in StAlbans but I'm getting no help from them at all.

Does anyone know how I could go about establishing what caused the attack, and how I can prevent direct access to these MP3 files used in the site? I've tried preventing directory browsing but this doesnt prevent access to the individual files.?

Do people have to be registered to access the files?

If you can get the people to register first you could prevent non-registered members from accessing the files at all.

Another option could be to serve the files using PHP, possibly not the best way of dealing with the files, but it will give you a lot more control as you can place the files below the site root, so the only way to access is via a PHP script.


Thanks for the reply

No the users don't have to register for the site they can just play the files. It seems the attack was automated in some way, that is I cant think of anyone pressing the refresh button 7,000 times in one hour?

Can you explain abit further what you mean by "serve the pages in php"

My site root (as provided by the ISP) is public_html, everything's in there. If I place the files below that directory that would prevent direct access to the files?

I appreciate the pointers


Hi Alan,

Files below the root folder (public_html) can only be accessed by your scripts - public access is not possible.

For example:
You can't specify www.domainname.com/../folder_below_root

it just won't work.

However you can specify in your php file (which for this example is in your root folder):

$sMusicSrc = '../folder_below_root/';

You can then use PHP's readfile function to get the specified file from your specified folder.

readfile($sMusicSrc . 'filename.mp3');

Now that you're using a PHP file to 'serve' the file you could place restrictions by logging the IP address for example. too many requests for the same file by the same IP address = block it!

I believe that not all browsers submit the IP address in the header, but this, I would have thought would be a minority.

Having said that I have only used this for downloading files, not for playing from an imbedded MP3 player, but I'm sure it would work.

Within your code you would then specify the source to be:
<embed src="phpfile.php?id=b56fe59d70e65730a69ecdae1ab5eb33.mp3" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="150" height="75"></embed>

I forgot to mention, I used this with users having to be members (free), but I could check as soon as the php file was requested if the user was logged in. If not then it wouldn't work. It would take them back to the registration page.

Even if someone has the direct link (in the embed section) of your code it doesn't matter because you have ultimate control over who accesses it.

Thanks for the help I've gone from tearing my hair out to knowing what I have to do, in an afternoon! :icon_cheesygrin:

no problems, glad I could be of help.