Stopping a 120 GB CDN Attack with Referer Anti‑Hotlinking and Nginx

Background

While writing notes in Typora, the author discovered that images could no longer be uploaded to Qiniu Cloud because the CDN service had been suspended due to an overdue balance of over 20 CNY. All images on the site www.passjava.cn became inaccessible.

Investigation revealed an abnormal traffic spike: in seven days the site received 123 GB of traffic from 140 000 distinct IPs, indicating a botnet ("zombie" servers) attack.

Attack Timeline

07‑30 22:00 ~ 08‑06 10:00 – 610 000 requests, 120 GB CDN traffic.

08‑07 17:00 ~ 08‑11 17:00 – 410 000 requests, all returned 403 errors after enabling anti‑hotlinking, resulting in no additional CDN traffic.

Investigation

The access logs showed repeated requests for five image files from many different IPs, consuming large CDN bandwidth under a pay‑as‑you‑go model.

Solution Process

Initial Steps

A support ticket was opened with Qiniu Cloud. The engineer suggested checking the CDN log analysis for top URLs and client IPs, then blacklisting unexpected sources.

Anti‑Hotlinking Options

1: Referer anti‑hotlinking – Only requests with a valid Referer header are allowed; however, Referer can be forged.

2: Timestamp anti‑hotlinking – URL includes expiration time and token; suitable for limited‑use scenarios.

3: Origin authentication – CDN forwards requests to the origin with custom parameters for validation.

4: IP whitelist/blacklist – Works for a fixed IP range, not suitable for public sites.

5: UA whitelist/blacklist – Filters based on User‑Agent strings.

Option 1 (Referer) was chosen as the most appropriate.

Implementation

The Referer anti‑hotlinking was enabled in the Qiniu console, adding a whitelist and disallowing empty Referer headers.

After enabling, direct access to an image URL without a Referer returned a 403 Forbidden error, confirming the protection.

Side Effects

Typora’s image insertion stopped working because Typora does not send a Referer header when fetching images from the CDN.

Workaround

The author used an Nginx proxy on localhost (port 8888) to add a Referer header to outgoing requests, and configured Proxifier to route Typora’s CDN image requests through this proxy.

Diagrammatic steps (illustrated in the original images) show the Nginx configuration and Proxifier setup, as well as a process‑hijacking technique to intercept and modify the requests.

Summary

(1) Over a week the site was hit with bot traffic that consumed 120 GB of CDN bandwidth, causing a >20 CNY debt.

(2) Enabling Referer anti‑hotlinking instantly blocked the attack (403 responses) but also broke image loading in Typora.

(3) Adding a local Nginx proxy and using Proxifier to inject a valid Referer allowed the author to keep the anti‑hotlinking protection while restoring image access in notes.