0

I run a file hosting platform, and am struggling to work out how to handle IDM (internet download manager) connections.

When a file is requested, I create a download token, which expires after 10 download attempts, however IDMs just KEEP making requests, literally hundreds per minute. And I can't figure how to tell them to "stop" trying to open new connections, and just use the 10 you have open.

The problem is, to prevent attacks, I also have rate limiting, and due to the vast numbers of requests these IDMs make, legitimate users are often getting rate limited and they don't understand why.

I can't find any info only at all about how to correctly let IDMs know there is a limit on connections, or that the token has expired, or that they risk being blocked if they keep makign requests...

Has anybody encountered anything like this before?

thanks!

Ryan
  • 21
  • 2
  • Do you have a specific example? This is rather vague as is, and possibly not answerable. – Michael Hampton Jun 17 '20 at 17:49
  • @MichaelHampton I'm not sure what else I can provide to be honest, they're just standard http GET requests with a token I generated for them in the query string. For standard web (via browser) requests, I simply check the token, if it\'s invalid, I redirect them to the file download page with an error message, where they can generate a new token. But these download manager tools don't seem to care what header response I give, they just keep trying constantly to download files, even after the token has expired and my script is exiting with 301 or 403 etc. – Ryan Jun 19 '20 at 06:11
  • @MichaelHampton here's an example of what I'm taking about, and their suggestion is just to block traffic from download manager tools https://www.sonicwall.com/support/knowledge-base/blocking-multiple-parallel-http-downloads-used-by-download-accelerators-idm/170504513694427/ But I don't want to block them completely or disable download resumes, I just want to know what header response I need to send to tell them that the token has expired and they need to stop opening new connections or retrying existing ones. – Ryan Jun 19 '20 at 06:13
  • You could name the download manager tools which are causing the problem. – Michael Hampton Jun 19 '20 at 14:10
  • @MichaelHampton as far as I can see, there's no name provided in the request. Most of these download managers seem to spoof the headers to look/act like normal browsers. But here's one as an example: https://www.internetdownloadmanager.com/ – Ryan Jun 22 '20 at 07:29

0 Answers0