- Not sure if that's possible. @thess AFAIK awstats can only locate an IP in a country (e.g. ES), and no more detailed location is possible. Can you confirm?
- Just checked my IP with https://geoiptool.com/de/ -> "slight" error of just 300km
(accuracy certainly depends on the database used)
Yes, that tool is completely off for the IP I used for testing in Spain. However, Google is usually accurate to within a few kilometres. I suggest taking some random samples and checking them with their API or for instance here: http://www.ipvoid.com/ip-geolocation/. https://whatismyipaddress.com/ip/ is also fairly accurate and it's easier to test because you can generate clickable URLs like https://whatismyipaddress.com/ip/8.8.8.8. I don't know if their geodatabase is publicly available.
1 Like
Seem to be accurate, but the MaxMind database behind them is quite pricey...
You'll notice if they are mostly located in the same area if you manually check 10 or 20 random addresses using one of those web pages.
Here is a theory;
-Some folks like http://guifi.net/guifi/device/
-Then a regional model difference / localized redirect goes awry due to a file name / size mismatch
-I actually think the model name is a false positive....
Something like the script ( sorry if nothing to do with you guys!!! just an example of whats going on ) https://github.com/QuickMeshProject/qmp/blob/master/packages/qmp-guifi/files/etc/qmp/qmp_guifi.sh
https://github.com/guifi/drupal-guifi/commit/d6169a7c3521968ff0e9b4f9add7b6e075f950c9
or this
Why spain? ... exploit on this community wifi / CUSTOM package overwriting a variable from script similar to above ...... model difference...... uni lecturer made a VM?
Pull the file / geoblock / httpheader(referer?) block etc. me thinks
This is very interesting!!! https://repositori.upf.edu/bitstream/handle/10230/22884/VilchesBlanco_2014.pdf?sequence=1&isAllowed=y ( page 37 )
-The date / initial ramping of demand will give a good clue. ( steep vs narrow slope )
-Client fingerprint
-The incompletiono factor
I added some cities to the stats.
Remarkable: High numbers for Barakaldo, Bilbao, Burgos, Castro Urdiales
All those cities are within the Euskadi region, precisely where the Euskaltel ISP operates. And those are not the largest cities in Spain, by far. So, there is definitively something weird going on there.
EDIT: More weirdness... there are some major cities in Euskadi, and then the rest is in mostly the east coast, even small villages, I do not see major Spain cities there (Madrid, Barcelona, Sevilla...). Some places like Benicarlo or Santa Cruz de Tenerife are tourist destinations, perhaps the owner of those devices where traveling?
1 Like
The guifi project is more prevalent in the Catalunya region, but @tmomas findings point to the Euskadi region...
Madrid + Barcelona are already there (look closely) 
Sevilla is missing, but already there is updated data.
I noticed some of the cities are in the vicinity of Madrid.
....in the meantime, I updated the graphic, now showing more city names and sorted them alphabetically, see above.
Still, the great majority comes from the Bilbao and Burgos regions. Can you tell if the IPs seem to belong to fixed or mobile internet connections? If it's fixed then my guess is router software, but if it's mobile then it may be some kind of app.
But they do not stand out when taking the large population into account. If the culprit download triggering system would be widely used there, their proportion would likely be much higher.
As some "never heard of" smaller(?) cities like Barakaldo and Castro Urdiales have higher stats, likely the system is more widely used in those cities.
Do the regional numbers include all downloads, or just the ones using wget/uclient-fetch without version number? If it's all of them then they include a lot more legitimate downloads in Barcelona and Madrid than in the Bilbao and Burgos areas.
Some comments regarding the statistics:
- they show December 2018
- they show only 1043nd downloads
- approx. 99% are wget+uclient-fetch
- Cities are not yet completely added (only 20% of downloads with city added)
BTW: If someone has a script solution
- to scrape IP-Range, Country, netname from https://www.whois.com/whois/ (or any other source)
- to scrape City + Assignment (static/dynamic) from https://whatismyipaddress.com/ip-lookup (or any other source)
without running into automatic bot-detection on those websites, please let me know.
Input: bunch of IPs (thousands)
Output: IP-Range, Country, netname, City, static/dynamic
Yes, Barcelona and Madrid are there, but heavily underrepresented, considering their populations. And the same happens with ISPs.
What I mean is that this seems specific to one ISP (Euskaltel) and one region (Euskadi, where Euskaltel operates). The rest of the connections are probably "noise".
Did the number of connections rise suddenly? That would indicate some massive and coordinate update in many devices... for example a firmware update from the ISP.
1 Like
The underrepresentation of certain regions / IP ranges may be due to only 20% of download requests have added a city.
Madrid may be underrepresented, but there are also some IPs in the vicinity of Madrid (call it "greater Madrid").
I don't think that this issue is restricted to Euskaltel, as I'm seeing lots of other networks.
But yes, a BIG portion of downloads originate in the northern area of Spain where Euskaltel is.
Rise of download numbers: Started 30.09.2018, from low hundreds (like other downloads) to thousands in one day.
Hmm.
And it has it been a rather stable load since then? Or is it still growing?
(the public history only shows the current year 2019, so it is hard to see if there has been growth in Sep/Oct/Nov/Dec/Jan.
If it is rather stable, it reduces the probability of gradual firmware updates by individual customers, or something like that, (causing a growing load along the growth the installed base of the new fiirmware with this test download site).
That being the last day of a quarter (or one day before the first of a new quarter), I have a guess:
some kind of SLA that has been automatically tested since 1.10.2018. E.g. automatic connection speed testing every few hours, run from customer data centers (or modems).
(or the remotely controlled test URL has been changed on 30.9.2018 to point to our site)
Mind the different scaling...
In my opinion it seems like some kind of local software system chosen by consumers (for instance a transportation app), that connects to the internet using which ever provider they are using. When those consumers travel to other places in Spain it will still connect, but in much lower numbers than in the prime area.
So, it really started at one day, and has then stayed rather stable at 15-16k downloads per day. Strange.
Looks like somebody toggled a centrally managed test URL on that day.
It shouldn't be that hard to gather ranges given the amount of data and feed those a dummy file instead, someone will eventually complain 