Welcome to CSharp Labs

Denying Leechers with a Custom IHttpModule and FilterAttribute on MVC 4

Sunday, June 9, 2013

Resource leeching can seriously degrade server performance. To detect leechers, I have created the ResourceLeechDetector class which validates the http referrer header and the AntiLeechAttribute and AntiLeechModule to redirect or deny the request.

How it Works

The ResourceLeechDetector class validates an HttpContext.Request.UrlReferrer using application settings configuration values. The UrlReferrer is compared to the HttpContext.Request.Url using UriExtensions which determine if the hosts match. To protect an entire directory, the AntiLeechModule can be enabled to validate and redirect or terminate requests while the AntiLeechAttribute can be added to protect a single MVC action method.


Add the following application settings to your application's main Web.config file, which determine how hosts are distinguished to detect leeching:

<?xml version="1.0" encoding="utf-8"?>
    <!-- Determines if the ResourceLeechDetector ignores virtual directories while comparing. -->
    <add key="ResourceLeechDetector_IgnoreVirtualDirectory" value="true"/>
    <!-- Determines if the ResourceLeechDetector ignores the scheme (http|https) while comparing. -->
    <add key="ResourceLeechDetector_IgnoreScheme" value="true"/>

To protect an entire directory from leechers using the AntiLeechModule, include the following application setting and module definition in Web.config:

<?xml version="1.0" encoding="utf-8"?>
    <!-- Defines a path the AntiLeechModule will redirect leechers to. -->
    <!--<add key="AntiLeechModule_RedirectPath" value="~/Content/NoLeeching.png"/>-->
    <modules runAllManagedModulesForAllRequests="true">
      <add name="AntiLeechModule" type="System.Web.AntiLeechModule" preCondition="integratedMode,runtimeVersionv4.0"/>

If no AntiLeechModule_RedirectPath setting is defined, the AntiLeechModule will return 403 forbidden if leeching is detected.

For the system.WebServer modules section, runAllManagedModulesForAllRequests must be set to true to run the module for static content.

In the directory to protect, create a new Web.config file and add the following to enable the AntiLeechModule:

<?xml version="1.0"?>
    <add key="AntiLeechModule_Enabled" value="true"/>

To protect an MVC action method, add the AntiLeechAttribute to a method:

        [AntiLeech(FilePathRedirect = "~/Content/NoLeeching.png")]
        [OutputCache(Duration = 600)]
        public ActionResult DownloadImage()
            return File("file name", "content type");

The AntiLeechAttribute supports several named parameters which determine where requests are redirected to, if a leecher is detected:

  • FilePathRedirect: Defines a path to redirect leechers to.
  • ActionRedirect & ControllerRedirect: Defines the action method and controller to redirect leechers to.

If leeching is detected and there is no redirect path or action, the AntiLeechAttribute will return 403 forbidden.


Download ResourceLeechDetector and Supporting Classes