Results 1 to 4 of 4

Thread: Unusual log entries, possible RTMP dumping application?

  1. #1
    Join Date
    Sep 2010
    Posts
    7

    Default Unusual log entries, possible RTMP dumping application?

    We are using RTMP to serve copyrighted video content for an e-learning course.
    We have noticed an unusual pattern in the logs coming from a specific user's IP. There are thousands of entries like these ones below (server and client details have been removed - the "requested_video" is always the same file):
    #Fields: date	time	tz	x-event	x-category	x-severity	x-status	x-ctx	x-comment	x-vhost	x-app	x-appinst	x-duration	s-ip	s-port	s-uri	c-ip	c-proto	c-referrer	c-user-agent	c-client-id	cs-bytes	sc-bytes	x-stream-id	x-spos	cs-stream-bytes	sc-stream-bytes	x-sname	x-sname-query	x-file-name	x-file-ext	x-file-size	x-file-length	x-suri	x-suri-stem	x-suri-query	cs-uri-stem	cs-uri-query
    2013-06-11	00:00:00	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	200.757	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25158	69659323	1	2832981	0	69489237	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:00	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	200.946	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25188	69871077	1	2840960	0	69700755	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:00	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	201.365	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25218	69871311	1	2842987	0	69700755	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:01	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	201.551	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25248	70078314	1	2850965	0	69907522	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:01	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	201.937	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25283	70078548	1	2852992	0	69907522	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:01	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	202.122	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25313	70277150	1	2860971	0	70105888	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:02	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	202.506	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25343	70277384	1	2852992	0	70105888	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:02	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	202.691	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25373	70475986	1	2860971	0	70304254	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:02	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	203.076	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25403	70476220	1	2862997	0	70304254	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:02	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	203.262	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25433	70687176	1	2870976	0	70514974	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:03	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	203.676	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25463	70687410	1	2872981	0	70514974	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:03	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	203.861	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25493	70894165	1	2880960	0	70721493	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:03	CET	unpause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	204.255	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25523	70894399	1	2882987	0	70721493	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    2013-06-11	00:00:04	CET	pause	stream	INFO	200	requested_video.mp4	-	_defaultVHost_	vod	_definst_	204.442	[any]	1935	rtmp://server.ip.address/vod	client.ip.address	rtmp	referer_URL	WIN 11,1,102,55	1403635171	25553	71094561	1	2890965	0	70921419	requested_video.mp4	-	/usr/local/WowzaMediaServer/content	mp4	90572086	4271.56	rtmp://server.ip.address/vod/requested_video.mp4.mp4	rtmp://server.ip.address/vod/requested_video.mp4.mp4	-	rtmp://server.ip.address/vod	-
    So the client pauses and unpauses the stream almost twice every second, however the stream position is advancing by 8-10 seconds per pause/unpause. Bytes transferred also increase by a number which corresponds to those 8-10 seconds.
    The same user has been doing this for days on all the videos offered to them. For every hour of video content, these repeated log entries appear for about 4-5 minutes. Then, when the bytes transferred number reaches the video size, it moves on to the next video.
    It looks like the user has been using a tool to dump/download the videos to their computer, I cannot explain it otherwise. Does anyone have any possible ideas of another interpretation or what might be the tool used which would behave in such a way?

  2. #2

    Default

    Hi,

    It could be a ripper so I would suggest adding HotLink Denial and possibly some kind of token authentication to manage sessions etc.

    http://www.wowza.com/forums/content....Flash-SWF-file

    Also consider adding token support into your player , an example for JWPlayer 5 and 6 is

    http://www.wowza.com/forums/content....Player-5-and-6

    Do make sure you are using the latest Application.xml in 3.6.2, do not copy ones from older versions of Wowza as there are some changes which help preventing rippers.

    Andrew.

  3. #3
    Join Date
    Sep 2010
    Posts
    7

    Default

    Thanks for the reply Andrew,

    We had already added the Hotlink Denial. We are anyway moving to HLS streaming instead of RTMP in order to support iOS devices, so Securetoken will not apply.

    When you say "token authentication to manage sessions" do you mean the Securetoken implementation or something else?

  4. #4

    Default

    It would be some kind of session management so that only one user can stream at once. This would be some kind of custom code to both check tokens and manage sessions.

    Andrew

Similar Threads

  1. Custom Log Entries
    By paulo_mendes_ in forum Server Administration Discussion
    Replies: 15
    Last Post: 03-16-2012, 12:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •