Genuine users will see redirect to another page.
Or you could just remove or rename it for a day or two and see what happens. Maybe they'll notice and spam someone else with their requests instead.
- One IP (the biggest overall downloader) is blocked since several days. No change in behaviour, 1043nd file is still being requested from this IP, although all he gets is 403.
- We had changed the filname slightly for approx 24h, no reaction, no change in download behaviour.
1 Like
Is it worth following through by contacting the isp to make inquires on your behalf
Basque user here.
We were with euskaltel. now we are with Telefonica/Movistar. Both don't use OpenWRT in their routers. However, guifi.net people does use TP-LINK devices, usually at members home. We do, even if we are gone from guifi.net years ago. See http://guifi.net/ca/node/17718/view/map
But, we are pretty confident that it doesn't come from our devices, because we compile our own openwrt image, and we don't have any 1043 
That guifi.net thing in Euskal Herria has been a complete mess and last year appeared a new "operator" called Izarkom from the people that made the mess. It could be worth to ask them, but of course I'm not saying they are the bad guys.
2 Likes
I have now City data for all IPs and with this, I was able to create the following graphic, showing the download counts geographically:
And here a bit more detailed view with annotations:
Heatmap visualisation:
1 Like
Castro-Urdiales is not in the Basque Country, and Euskaltel does not operate there (with fixed connections). However, it is a suburb/population center for those working in the neighboring Bilbao etc. Barakaldo is also a major population center in that area.
That makes me think this is some kind of consumer-purchased device that is advertised/popular primarily in the Basque region, but not tied to ISPs directly. People would buy it and take it home. This would explain the disproportionate counts from Euskaltel (biggest ISP in the region only) and Castro-Urdiales (not in the region, but lots of people commute from there).
(I used to live in Castro-Urdiales)
So the IP with the highest usage is likely the seller and the rest is consumers getting auto updates from a poorly implemented script.
1 Like
I also thought about some device sold by a local shop in Bilbao; but the number of devices seems too big for a local shop, and a local shop would rarely have the resources for a mass-update.
But you mentioned "commuting", and that made me think about another possibility: perhaps those devices are being distributed internally by a company, among their offices or among their teleworking employees...
1 Like
I can haz live like diz?? pllleeeeeeeeezzz!!!!11 
(inspired by http://ip-api.com/docs/statistics; that's where I got the geoip info from)
Not 100% serious, but asking: Why not?-)
Not 100% joking, therefore asking: can somebody script this?
pllleeeeeeeeezzz!!!!11
1 Like
When we first started investigating this, one of questions I had asked was: "Why this image?" In particular these requests are for the factory image and NOT the sysupgrade image. Why would that be over so many nodes?
1 Like
IMHO the answer is something on the line that the downloaded image is not actually used for anything, but the download action is just used to measure connectivity and/or bandwidth. (As most downloads are not even completed, the downloaded file will be unusable in any case.)
Many questions, many speculations, very little answers that bring us forward.
I think we have reached a point now where we have exhausted the information contained in the server logs (except if @eduperez is able to distill some new information out of the logs over the weekend).
I checked where we could complain about this issue, and it boils down to basically 6 adresses (the numbers are the current download counts 06...18.-JAN-2019):
If somebody is able to investigate this deeper, then it's the ISPs, since they know who is behind their IPs and how to contact them.
@thess How do you think about this?
Its very strange . im from bilbao but euskaltel doesnt provide that router . i can check it if you can send some information on euskaltel network.
I worked on the files during the weekend, and came to more speculations... at the end of the day, all we have are addresses, times, clients, sizes, etc; I could not get to any conclusion about who or why is doing all these access.
I'm pretty sure this has to be related to something like guifi.net, since I don't know about any ISP giving that router nor using OpenWRT. This stuff is used by geek guys behind ISPs router, there are many tutorials about it, see:
https://tombatossals.github.io/instalar-openwrt/
and many more.
Well, I refined the search looking for "site:guifi.net wr1043nd-v1-squashfs-factory.bin"
I got just one result "http://listas.valencia.guifi.net/pipermail/usuarios/2013-February/001641.html" where the subject can be translated as "OpenWRT install tutorial with OpenVPN client on TP-Link router" It should be noted that message is dated back to 2013 and by going back on that thread i found a non-working (404) link to dropbox.
So I can only guess this is a matter of somebody IT-iliterate doing something really wrong, and I would suggest getting in contact with guifi.net people, not because I think they are the bad guys but instead because they have mailing lists, etc, and they could perhaps issue a warning.
However, ban of spanish IP-addresses could be even faster, and I don't think it could harm anybody.
guifi does not fit to the observed hotspots.
Compare https://guifi.net/ca/node/17718/view/map and the pictures in my posting above which are showing the hotspots of the 1043nd issue.
- guifi has concentrations in two locations (shown in blue in below picture): Eastcoast and west of Bilbao.
- the 1043nd issue has concentration around Bilbao (shown in red), a bit in Madrid, but not so much at the eastcost (Barcelona etc.) as one would expect from the guifi-map.
- Logrono has a significant amount of downloads (same range as Barcelona), but is practically non-existent on the guifi-map.
1 Like
Thank you anyways for your efforts!
1 Like
Thanks for your suggestions! I ended up at http://ip-api.com/.
Free, nice and easy, selectable output, 150 requests/min (quite high compared to other services which allow only 1000 / day).
As a next step and temporary remedy to help reduce excessive bandwidth waste, I have a proposal.
By using simple rewrite rules, all references to the specific image file will be re-directed to a small static page with a message and a link to the requested target file. The substitute link can be used to fetch the actual staged image file. By doing the redirection in this manner, it will not interfere with build system uploads and sha256sums. The file name will be slightly different but I think that can be handled by a rename or manual sha256 check by whoever is fetching it. No signatures will be invalidated.
I intend to relay this information to the dev mailing lists and will not put it in effect for a couple of days - waiting for feedback, etc. The static page will probably be something like:
Requested file has been relocated due to excessive download requests by automated processes.
The file you requested can be obtained here: <link-to tl-wr1043nd-v1>
We are sorry for any inconvenience caused by this issue.
While this change is in effect we should continue to pursue the source of the anomalous download requests..
3 Likes