Solution Overview

LinkSentinel is a unique approach to hotlink defense, designed with the following core considerations:

  • hotlink protection that is not easily spoofed or bypassed
  • negligible impact on CPU, memory, or system performance
  • fully effective for load-balanced clusters
  • realtime visiblity of bandwidth savings

Architecture

LinkSentinel is a highly optimized C module that monitors and approves, or declines, requests for hotlink-prone content. The software uses encoded query string "tokens" that are embedded into all content references for which the module has been configured to protect. All LinkSentinel token operations are done at a very low-level of the Apache request/response cycle, so they will not interfere with the normal linking syntax for a website. In other words, LinkSentinel does -not- require that you make any changes to your web pages or layout structure. And the module works properly for dynamically generated pages as well (e.g. cgi, php). Finally, the software allows for easy configuration of the security behaviors within extremely flexible scopes: server-wide, virtualhost-specific, or directory/location specific.

As mentioned above, LinkSentinel uses special, automatically-embedded tokens. These encrypted tokens provide a robust protection based on four key principles, two of which (resource specificity, N-time-pad limitations) are completely unique to LinkSentinel and distinguish it sharply from competitive products.

  • Resource Specificity:  Tokens are bound specifically, in a 1:1 fashion, to the anchored resource. A link for "x.mpg" cannot be modified to work for "y.mpg".

  • Reuse Limitations:  Valid tokens can be limited to one-time-only use, or N-time-only reuse.

  • Time Sensitivity:  Tokens are valid within a specific, limited window. A current link will not work at some specified time in the future.

  • Network Specificity:  Tokens can be optionally constrained by the network source of the request. The IP subnet that requested the refering content must match that of the referent content.

Of course, all settings related to these key features can be customized or enabled/disabled by the site administrator. LinkSentinel also tracks in realtime the daily and monthly bandwidth it saves from thwarted hotlink attempts. Webmasters can view this information from a realtime, web-accessible table broken out by virtualhost domain. More detailed information is available in historical audit logs that show which requests were approved or declined, along with the relevant details.

System Requirements

The LinkSentinel module requires a UNIX-based, Apache server configured with dynamic shared object support (i.e. DSO, mod_so.c). The software is compatible with Apache 1.3.x, 2.0.x, and 2.2.x. LinkSentinel has been deployed successfully on many UNIX variants (i.e. Linux, FreeBSD, Solaris, MacOSX) in both 32bit and 64bit flavors. The module is not currently available for WIN32 versions of Apache. Of course, LinkSentinel also requires money.

Company  |  Privacy  |  Legal  |  Contact
Copyright © 2001-2016 Proxigence