While static CDNs are defended with numerous protection means, content delivery networks for streaming and dynamic data transfer are still vulnerable. Let’s find out what attacks are performed often, and how to protect your website.
The vast majority of host services and CDNs (content delivery networks) have pretty simple security options for streaming. For example, referrer protection requires the SWF requesting to join the stream to be served from some certain domain. If a hacker gets your player of viewer from your site, you won’t be able to do anything about it. Another option in case is anti hot-link protection: the referring page URL should match some certain domain. To run the blockade, it is passed in as a parameter to rtmpdump. When you serve your SWF from the same domain as your site, fresh versions of Flash cast out page URL to the domain only rather than the full URL. Page URL test can be simply passed then with iFrame.
A specific token can be implemented in the code of Flash player and the media server (it’s possible together with with RTMPe encryption). The code can be obtained by decompiling the SWF, and domain protection then is defeated with rtmpdump.
If your website is attacked by browser manipulations like these ones, the stream will be played and watched by unauthorized viewers until you strengthen your protection with expire time and SecureLink hashing on the URI.
Widespread Types of Attacks
CDN streaming is a challenging task. There are myriad of techniques to steal streams, though some ways are pretty difficult and can be executed by wise hackers only.
- Ripping attacks on streams. It’s done with the help of popular rtmpdump programs. They are hard to defend against due to two major reasons: first, it may spoof all security parameters; secondly, it pretends to act like a legitimate stream user.
- Referrer attacks on streams. The hacker will iframe your environment into his website and broadcast his streams on your account.
- Browser embed attacks is another popular trick. The hacker runs a VB.net application installed by subscribers and injects HTML into his website. Therefore, the browser tells Flash his website is your website which allows defeating security.
- Wireshark examination of network traffic to define origin stream names. Some media servers show unprotected origin URL in their network traffic stream. Therefore, to ensure protection you should require security checking. This way, the origin stream name won’t be published as it cannot run with relay servers without security protection.
If you want to make sure that your stream is safe and secure, order CDN networks in well-established companies. Services from world’s best providers ensure that your stream will never show on other sites unless you decide that.
Comments