Blocking Download Managers and Accelerators

Some users like to use Download Managers & Accelerators in an attempt to complete file downloads faster.

These download managers/accelerators work by creating dozens to hundreds (and sometimes thousands) of independent concurrent and sequential connections, with each connection downloading a different part (byte range) of the same file.

The client sends a request with a “Range” Header specifying the part of the file it wants, and the server returns that part of the file back to the client using the HTTP 206 (“Partial Content”) Response.

This type of download abuse can easily overload your server’s connection limits and resources, and also get around any per-connection bandwidth restrictions you might have set.

Here is how to stop these Download Managers dead in their tracks by using mod_headers and mod_rewrite under Apache (or a WAMP Server such as WampDeveloper Pro).

This example will abort all partial requests for content located within URL:

http://www.example.com/files/

Unset Accept-Ranges Header

Indicate to the clients that the server will not attempt to honor Range requests (partial content requests), by changing Response Header “Accept-Ranges” from “bytes” to “none“.

<IfModule !mod_headers.c>
    LoadModule headers_module modules/mod_headers.so
</IfModule>

<Location /files/>
    <IfModule mod_headers.c>
        Header set Accept-Ranges none
    </IfModule>
</Location>

But this is only a superficial message to the client, that the download manager/accelerator software can easily ignore…

The client is still able to send “Range” requests (partial content requests), and Apache will still return the requested byte range of the file. So let’s remove that option once and for all…

Abort All Range (Partial Content) Requests

<IfModule !mod_rewrite.c>
    LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Detect URL /files/...
    RewriteCond %{REQUEST_URI} ^files/
    # Detect "Range" request header
    RewriteCond %{HTTP:Range} !^$
    # Stop and Return HTTP FORBIDDEN (403) response header
    RewriteRule .* - [F,L]
</IfModule>

* If instead of placing this inside a VirtualHost block, you place it in an .htaccess file, then “AllowOverride FileInfo” (or “AllowOverride All“) and “Options +FollowSymLinks” (or “Options All“) have to be set (in the VirtualHost) for the directory the .htaccess file is in (otherwise neither mod_rewrite, nor working with the Header data, will work).

* Don’t use “RequestHeader unset Range” as this will get around the mod_rewrite configuration while turning all partial content downloads into full size downloads.

Problems

Incomplete downloads are not resumable… A client will not be able to pause or stop a download, and later resume it.

Downloads started with download accelerators will stop at whatever % of full file size the first connection retrieves.

May also break some -

  • Clients that do streaming of video and audio
  • Clients that do reading/loading of meta-data from large files
  • e-Readers
  • Client-side bandwidth throttling

Notes on using mod_rewrite

Per-directory Rewrites

http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule

For mod_rewrite, “Options FollowSymLinks” must be enabled for anything related to directories to work…

To enable the rewrite engine in this context, you need to set “RewriteEngine On” and “Options FollowSymLinks” must be enabled. If your administrator has disabled override of FollowSymLinks for a user’s directory, then you cannot use the rewrite engine. This restriction is required for security reasons.

Behavior of mod_rewrite in <Location> sections can be unpredictable…

Although rewrite rules are syntactically permitted in <Location> and <Files> sections, this should never be necessary and is unsupported.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>