I was quite surprised a day ago when I looked at my IceCast log on my streaming computer and saw over 20,000 listener connection attempts in the past couple of days.
It turns out that an IP address originating (at least according to whois) in Paris, France - 46.105.55.163 - was routinely attempting to connect and then disconnecting. I suspect that they were attempting to gain access to the administrative functions of IceCast by trying to hack the password. I shut down the server, and restarted it today (I had the same sort of problem when I ran an FTP server and that got rid of the issue) but immediately it started all over again. So my server has gotten onto someone's target list.
It looks like I'm going to have to create a router firewall rule to block that IP address. I'm probably going to update my router at the same time, as it's pretty old. So my stream is going to be off for a few days until I can get that set up.
This is just a reminder that you have to routinely check your streaming logs on a regular basis.
Sounds like a Stram Ripper. These stream rippers look for stations that play a certain type of musc for recording. Some of them a user types in some artists or a format of music. The Stream Ripper then scans a bunch of stations to see what they are playing. If it meets the artists or genre the user wants it begins recording. What user agent does it come up with I can sometimes tell by that?
I've done some temporary streaming where we go on for a group of chat buddies and do a show, and under some conditions someone's player or recorder will try to connect over and over. That fills up the available slots, and it seems they're released prett fast, though I think it can cause others to have connection problems as its happening. Check the logs, then search on the client and hammering, to see if others have had the issue.
Could you temporarily change your port, like go to 8007 and then link to that from your stream page. I wonder about streaming servers having anti-hammering, like an FTP can have a retry delay of so many seconds on failed attempts. I don't know if delay is a good indea in streaming though.
This morning I saw an IP address from Syracuse, NY making woodpecker-like connections and disconnections and finally it locked-on and remained connected for around 12-minutes.
Having read Artison's experience up above, I got concerned, but then got some good news.
Bruce MICRO 1690/1700 Dog Radio Studio 2 had been experimenting with connecting to my Icecast stream while inside his automobile in Hartford Connecticut, using a Smartphone.
Once the connection was made Bruce MICRO 1690/1700 Dog Radio Studio 2 listened for 12-minutes to what he called, "Really good sounding audio from KDX."
While most IP's connecting use something like Winamp or NSPlayer, the hammering IP used Mozilla.
There was another address from France that was doing the rapid connecting and disconnecting and both were from the same service provider - OVH.
I'm just going to block the offending incoming IP's once I get the new router, and hopefully that will do it (I may have to do the entire IP address range from OVH, as it could be that these are dynamic IP addresses).
If you see a lot of Winamp 5.0's they are streamrippers. I've had this issues when I made my Shoutcast or Icecast streams public. You can block the offending ips and hope that helps. I didn't think about being in a car listening to a smartphone. However it would not be likely they would come in a Winamp 5.0.
You can ban the ip in the Admin section on shoutcast (done online)