Heavy Bandwidth Drain from Handful of IPs

T

TheGrammarClubRadio

New Member
We've recently had a handful of IPs eating up WAY more bandwidth than we'd expect. In particular one recently used 3.9GB (4342 minutes) in a single DAY, which seems questionable, since a day only has 1440 minutes. Our typical heaviest listeners connect for a few hundred minutes, well under half a GB of useage, and a few bad actors are burning through the bandwidth at seemingly impossible speeds. Has anyone else experienced this, and is there anything we can do about it? We're thrilled to have fans who listen to us for hours at a time, but having a single user chomp through four days worth of minutes in a single day is killing us.
 
This happened a couple months ago as well, and we just blacklisted the IPs in question and ponied up for more bandwidth, but that's a neverending game of whack-a-mole. What we're hoping for is a way to hard limit someone once they hit a certain UNUSUALLY HIGH amount of data or minutes. Is that possible?
 
Hi TheGrammerClubRadio,

I'm sorry to hear that you are experiencing problems with this. As you are aware the best way to deal with these IPs is to just ban them in your servers admin section. Alternatively if you find that they seem to be coming from some certain countries then we can also geo-block this for you.

Where you are seeing an IP that has used 3.9GB over 4342 minutes this is not within a single day but over the time period of the "Statistics for reporting period" which by default is set to "14 Days".

Under the 'Advanced' section of your control panel you also have a setting to "Always disconnect listeners after: XX minutes". You can use the this to kick listeners from the stream after a chosen time period.

I hope that helps.
 
No, this was a single day. Over 7 days the same IP used another 1000 minutes in addition to that. We did have the server set to close connections after a few hours, but it doesn't stop them from immediately reconnecting. We'll try setting that to a shorter time and blocking the IP ranges. We just hate to do things that could inadvertently affect ordinary listeners.

singleday.jpg
 
Interestingly, as I was just now looking to add to our ban list, I see that this particular IP address was already in the list. How are they circumventing this?
-edit-
The user directly below them with 1200 minutes was part of an entire subnet that was already blacklisted. Not sure what's going on with the blacklists if they're just able to connect anyway.
 
Sorry to hear about your frustrations. I'll jump in and address the posts below:

TheGrammarClubRadio said:
In particular one recently used 3.9GB (4342 minutes) in a single DAY, which seems questionable, since a day only has 1440 minutes.
Click to expand...

Although a day only has 1440 minutes there's a couple of possible explanations for an IP using more than this. Firstly it's totally possible for more than one listener to originate from the same IP. All the devices in your house or office connection will share the same IP as far as the server is concerned. Secondly some radio players / apps make multiple connections to a stream. I have no idea why they do this but I've noticed it before. As far as I know there's no "Only allow 1 connection per IP" setting in Shoutcast or Icecast servers as this would help with this issue.

TheGrammarClubRadio said:
No, this was a single day. Over 7 days the same IP used another 1000 minutes in addition to that. We did have the server set to close connections after a few hours, but it doesn't stop them from immediately reconnecting. We'll try setting that to a shorter time and blocking the IP ranges. We just hate to do things that could inadvertently affect ordinary listeners.
Click to expand...

It's a fine balance of not wanting to annoy your legitimate listeners and trying to fend off bots.

TheGrammarClubRadio said:
Interestingly, as I was just now looking to add to our ban list, I see that this particular IP address was already in the list. How are they circumventing this?
-edit-
The user directly below them with 1200 minutes was part of an entire subnet that was already blacklisted. Not sure what's going on with the blacklists if they're just able to connect anyway.
Click to expand...

It's possible they're connection via the "Web Proxy" feature. If you like I can implement a block on those IP's from the web proxy too. Just let me know and i'll implement this for you.
 
More Support said:
It's possible they're connection via the "Web Proxy" feature. If you like I can implement a block on those IP's from the web proxy too. Just let me know and i'll implement this for you.
Click to expand...

That sounds like the way to go. Thanks. Do we need to PM you the list, or can you pull it from our server config?
 
You must log in or register to reply here.
Top