Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Giant Bomb blocking BeyondPod due to malicious traffic

  1. #1
    Junior Member
    Join Date
    Jul 2015
    Posts
    2

    Giant Bomb blocking BeyondPod due to malicious traffic

    http://www.giantbomb.com/forums/bomb...ken-1776942/#1

    Hey,

    There's a really bad Android app out there called Beyond Pod. I see a bunch of you guys use it for The Bombcast. It was poorly written and sends essentially malicious traffic (a whole lot) to our servers. We've tried to contact the developers about it but they've ignored us.

    We're going to be blocking access from that app within a day or two until the developers can fix their bugs.
    I paid what felt like too much money for this app and now I'm finding out that I can't even use it. What's going on here?

  2. #2
    Junior Member
    Join Date
    Jul 2015
    Posts
    1
    Please fix this issue. I like this app enough to pay for it and I would like to be able to keep using it.

  3. #3
    BeyondPod Team
    Join Date
    Feb 2012
    Posts
    1,033
    We are not sure what is the issue with this. Nothing has changed on our side to suddenly be causing any "malicious" traffic to their servers.

    The only traffic we generate is from people that have subscribed to the feed itself.

    I sent an e-mail to Gian't Bomb's support to see if they can explain what may be going on.

  4. #4
    Junior Member
    Join Date
    Jul 2015
    Posts
    2
    Quote Originally Posted by StefanK View Post
    We are not sure what is the issue with this. Nothing has changed on our side to suddenly be causing any "malicious" traffic to their servers.

    The only traffic we generate is from people that have subscribed to the feed itself.

    I sent an e-mail to Gian't Bomb's support to see if they can explain what may be going on.
    It looks like how you handle failed authorization on password protected RSS feeds is busted:

    I'd assume it works well for users, its just really dumb with providers. If it can't reach a podcast for some reason, like the user isn't authorized, it keeps trying over and over and over. We've seen users with 40k hits within a few hour period. If it works for you and the podcast provider wants to eat that traffic then there's no reason not to use it.

    You just won't be able to use it for Giant Bomb because we're rather use those server cycles for actual traffic not a constant Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!, Can I?, No!...
    Every time the app asks Can I?, we need to do a bunch of stuff. And then the amount of traffic trips an alarm that we're getting scraped and then someone has to deal with that. So when the block goes live we're just going to see if the request is from Beyond Pod and respond with "Go away kid, ya bother me". and be done with it.

  5. #5
    BeyondPod Team
    Join Date
    Feb 2012
    Posts
    1,033
    This is very, very, very strange.

    I can't think of how BeyondPod can cause such amount of traffic. The way BeyondPod is set, it will try to get the feed only if it is on a scheduled update (or updated manually). The default update schedule is once in 24 hours, so in most cases BeyondPod will make only 1 request for a feed a day per user (if the request fails for some reason, we retry, but we retry ONLY ONCE). This makes it at most 2 request for 24 hours. And again this is ONLY if you subscribe to the premium feed and ONLY if your user name/password are invalid. Even if somebody has set their feeds to update hourly (which is the shortest interval supported in BeyondPod) then that will be AT MOST 2 request per hour. I can't imagine how a user can generate 40k requests in a few hours. This logic has been in place for the last 4 years and has never caused any problems.

    The only thing I can think of is if some other app, is spoofing BeyodPod's user agent (I am assuming this is what GiantBomb is seeing) and making requests that are being contributed to BeyondPod. It is also possible that there is a hacked version of BeyondPod that was decompiled modified and recompiled that has changed the retry logic (on Android this is not very difficult to do).

    I am still waiting to hear from GiantBomb admins/support - hopefully with their help we can figure out what is going on.

    Stefan
    Last edited by StefanK; 07-24-2015 at 11:16 AM.

  6. #6
    Junior Member
    Join Date
    Jul 2015
    Posts
    4
    Hey,

    I sent you guys an email and it got ignored. That email you sent to support is going to take time to make it to me. You guys didn't change anything, we just started noticing when we installed a scraping monitor and it found hundreds of cases of users hitting us 10k and more times within a few hours all if it being stuff like this:

    [22/Jul/2015:13:11:34 +0000] "GET /podcast-xml/premium/ HTTP/1.1" 401 33 "-" "Mozilla/5.0 (Linux; U; en-us; BeyondPod)" "122.149.82.1"
    [22/Jul/2015:13:12:01 +0000] "GET /podcast-xml/premium/ HTTP/1.1" 401 33 "-" "Mozilla/5.0 (Linux; U; en-us; BeyondPod)" "122.149.82.1"
    [22/Jul/2015:13:12:16 +0000] "GET /podcast-xml/premium/ HTTP/1.1" 401 33 "-" "Mozilla/5.0 (Linux; U; en-us; BeyondPod)" "122.149.82.1"
    [22/Jul/2015:13:12:19 +0000] "GET /podcast-xml/premium/ HTTP/1.1" 401 33 "-" "Mozilla/5.0 (Linux; U; en-us; BeyondPod)" "122.149.82.1"
    [22/Jul/2015:13:12:28 +0000] "GET /podcast-xml/premium/ HTTP/1.1" 401 33 "-" "Mozilla/5.0 (Linux; U; en-us; BeyondPod)" "122.149.82.1"

    We'd expect that when your App gets a 401 response you stop sending requests. On times after a Podcast release lines like the above are > 50% of our traffic. With our scraper detection in place we cannot have this because the alarm trips constantly and someone has to deal with it.

    I've contacted users directly and when they stopped running BeyondPod the traffic stopped hitting our servers so its definitely not a spoof

    If you want more logs or information please contact me at edgework@giantbomb.com
    Last edited by edgework; 07-24-2015 at 11:14 AM.

  7. #7
    BeyondPod Team
    Join Date
    Feb 2012
    Posts
    1,033
    Thanks for posting,

    This is what is strange - we do stop (we do one and only one retry) so you should not see more than 2 per hour - having one every few seconds is extremely strange.

    I have no idea what may be causing this. It is possible that there is some device/Android version that gets confused, but so far we have not seen any indication of this happening.

    Is it possible to find (from the users you contacted) what device/version of Android are they using? Also is there anything special about the authentication that is failing - no authentication present, expired authentication?

    Stefan
    Last edited by StefanK; 07-24-2015 at 11:43 AM.

  8. #8
    Junior Member
    Join Date
    Jul 2015
    Posts
    4
    It's not easy to track back a user based on log traffic. I managed to track that one based on other traffic. Suffice to say its A LOT of traffic. We released a podcast this morning and our scraper detected 2391 "scrapers" all with the BeyondPod User Agent.

  9. #9
    BeyondPod Team
    Join Date
    Feb 2012
    Posts
    1,033
    Yes, I understand.

    Very strange indeed, I went through the code many times trying to see if there is a way to trick it, but so far can't see anything out of ordinary.
    When authentication fails on those repeated requests, are those invalid, "valid but expired" or "no credential provided" cases? I would like to find something we can test with? I have tried with wrong credentials, no credentials and valid credentials. The only thing I have not tried is "expired".

  10. #10
    Junior Member
    Join Date
    Jul 2015
    Posts
    4
    401 means the user has not authenticated. You should see this when you hit www.giantbomb.com/podcast-xml/premium/ without having provided credentials.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •