Quite unusual issue where we need the help of spanish residents:
Since 30.09.2018 we see abnormally high download numbers for the TL-WR1043ND snapshot factory image in the download stats, which create a tremendous amount of traffic.
Analysis of the download servers logfiles revealed that
- 99,7% of the 1043nd snapshot downloads originate from Spain
- 75% Wget; 25% uclient-fetch
- both without version as "usual" user agents
- sometimes 100% Wget OR uclient-fetch from one IP, sometimes both at the same time at other IPs
- approx. 20k different IPs, spread over hundreds of network ranges
- downloads are rarely completed, instead are cut off at varying sizes; HTTP status however is almost always (99%+) 200, instead of 206 as one would expect
- downloads originate mainly from 4 different network names (see graphic below)
- downloads show a significant timely pattern in seconds, minutes, and hours that the downloads happen
Tip for the pictures: to see them in real (big) size -> right click on the picture -> "Show picture"
Download size vs. netname
Timely pattern: Seconds
Graphing download size (in bytes) vs. seconds shows the following:
=> two strong peaks around 21..24sec and 32..35sec.
Timely pattern: Minutes
The same for minutes:
=> Every 10 minutes (at 01 / 11 / 21 / 31 / 41 / 51) download size increases by factor of 2.5 for a time of 6minutes
Timely pattern: Minutes + seconds
green = seconds
blue = minutes
=> The "seconds" pattern (21/32sec, see above) and the 10min pattern are clearly visible.
Timely pattern: Hours + seconds
It is getting more interesting by the minute... or should I say by the second?
Remarkable things in this graphic:
- red: spikes in 3h intervall; seconds peak at 32sec
- blue: significantly different seconds pattern at 02h / 06 / 12 / 20
- blue: similar pattern at 02h / 12 / 20; two peaks at 21 + 47 sec
- blue: different pattern at 06h (almost equally spread over the seconds)
Due to the restriction to Spain, the timely pattern and amount of download requests observed we come to the conclusion that this traffic can not originate from single users trying to download the 1043nd snapshot image for flashing their device, but from some bot / script that either does performance testing (user's internet line / OpenWrt download server transfer speed), or checking if there is a new snapshot build available.
Whatever the reason for the described download behaviour may be, we feel that using the OpenWrt ressources (server time + download bandwidth) to this extent for any other purpose than flashing the downloaded image is not appropriate.
We would like to find out the reason for the shown download behaviour, in order to finally lessen the impact on the OpenWrt resources to a normal range (compare stats linked above).
This is when you as a spanish resident enter the game: We need your help in finding the cause of the high download numbers.
Request to spanish OpenWrt forum users
- Can you think of any reason for the download behaviour shown above?
- Is there a spanish forum, website, blog, ... which could have triggered this by publishing
- a speedtest-script
- check-for-new-snapshot script
- or ...something completely different?
- Are you running OpenWrt on one or more devices, and are you knowingly / unknowingly taking part in these periodical downloads?
- If you are running a continuous speedtest / check for snapshot updates / something else on your OpenWrt device, please check if there are any irregularities since today (404 errors / no statistics / ...)
Thanks for your time and your feedback!
Sidenote: If anybody knows Clifford Stoll: I'm feeling a bit like him now, searching 75ct