Hmm.
And it has it been a rather stable load since then? Or is it still growing?
(the public history only shows the current year 2019, so it is hard to see if there has been growth in Sep/Oct/Nov/Dec/Jan.
If it is rather stable, it reduces the probability of gradual firmware updates by individual customers, or something like that, (causing a growing load along the growth the installed base of the new fiirmware with this test download site).
That being the last day of a quarter (or one day before the first of a new quarter), I have a guess:
some kind of SLA that has been automatically tested since 1.10.2018. E.g. automatic connection speed testing every few hours, run from customer data centers (or modems).
(or the remotely controlled test URL has been changed on 30.9.2018 to point to our site)
In my opinion it seems like some kind of local software system chosen by consumers (for instance a transportation app), that connects to the internet using which ever provider they are using. When those consumers travel to other places in Spain it will still connect, but in much lower numbers than in the prime area.
They removed all the links so it will be hard for them to find the info
Regarding the source I now noticed that they seem to be from fixed connections, not mobile. There are more sources than Euskatel, though, so I don't think it's specific to that ISP. From what I understand RIMA is Telefonica/Movistar and ONO is Vodafone fiber/ADSL.
Numbers after todays updates (added cities to IPs with >1000 downloads, prefering those which can be found from September through December; approx. 50% of downloads with city now)
Barakaldo, Bilbao, Burgos, Castro Urdiales are the Top 4.
Perhaps I interpreted the data wrongly: there is a heavy bias towards the Euskadi region (Madrid is there because of the reason I explained before, and the rest of the connections is noise), and that produces a bias towards the Euskaltel ISP, because Euskaltel has a notable presence in Euskadi, and not because the issue is related to Euskaltel at all.
So, there seems to be some software that was mass-installed on 30/09/2018 in the Euskadi region, across all providers, on devices running 24/7... each provider uses their own customized routers, I would discard a firmware update or a remote attack.
I do not see a correlation between the number of downloads and the working calendar in Euskadi.
I would like to see some results restricted to the Euskadi region: how many different IPs? does that match the number of schools in Euskadi, for example?
@tmomas Do you think you could share the raw data from the statistics (without compromising anybody's privacy, obviously)? I have worked in data-mining, and I think that I could get more info if I have access to the raw data and do my own analysis.
October: Peaks on 8 / 15 / 22 / 28 (28 being the odd man out) -> 7day period, with the peaks on Mondays November: 5 / 12 / 19 / 26 -> 7day period, with the peaks on Mondays December: 3 / 10 / 17 / 24 -> 7day period, with the peaks on Mondays, but much lower than in November.
Further above I mentioned that 99,7% of the downloads come from Spain.
Let's take a look at the rest:
Oh, Romania is sticking out. Let's take an even closer look:
Where are those IPs located?
-> all are within a line of 75km length, so relatively close to each other.
My interpretation:
A single IP (A,B,C,H) each day, over long periods of time -> one single user
When there are two IPs per day, it might be the same user that hast just changed his (dynamic) IP
Now, Romania is quite a bit off from Spain (roughly 3000km apart), isn't it?
How comes a single user in Romania shows the same download behaviour as the spanish users (which are 99,7% of all download requests) 3000km away? What is the link between them?
While pretty interesting, that unfortunately doesn't help a lot (unless it's a static, directly assigned IP with a clear text address (GDPR/ DSGVO) or 'hack-back' capability/ authority).
Reasons for this might include the obvious, someone having bought the device in spain and moved there (respectively ebay) - or the testbed of a hired (remote) consultant/ developer for a spanish ISP (or botnet admin).
uclient-fetch has been developed by OpenWrt and is, in the grand scheme of things (relative to most vendor SDKs), rather new (old versions used busybox wget), that makes it rather likely that the culprit is based on LEDE/ OpenWrt - but... it's opensource, small, has advantages some (mostly) proprietary projects might appreciate as well.