and guess where the downloads are coming from... right: Spain!
Where from in Spain? Exactly the cities we already know:
When? Today 11:15 CET
The image that is being downloaded has changed from snapshot to 18.06.1 today at 11:15.
This is centrally managed behaviour. The question is: Who and why (and does he also work on weekends)?
It's not necessarily centrally managed (in the sense of adapting the URL as a response), given the particular behaviour it might 'just' fall back to a release build in case downloading the snapshot failed. I know GDPR has made it difficult, but if there are repeat offenders with static IPs (ideally directly assigned) in the list, those might provide a handle to contact someone (even if just an unsuspecting user) who might help to identify the culprit.
Difficult to judge if an IP is static or dynamic, based on the data that I have.
I found behaviour that was contradicting to a static IP, i.e. traffic on one IP ends, and commences on another IP, both listed as static.
The other way round: Search for IPs that are constantly doing the same over time, without dropouts. Those could be static IPs, but could also be several different users on dynamic IPs.
For dynamic IPs: This could be a single user (wildly guessing)
I hadn't really expected the download count to change given that I was feeding the request with a small bit of HTML instead of the requested image. Besides changing the characteristic of the activity, I had hoped for a significant amount of reduced bandwidth usage - which was indeed happening.
If the activity has indeed moved on to a different version of the same platform image, we can apply the filter to all HTTP requests for the tl-wr1043nd-v1 factory images and see if they choose to attack something different.
I would hate to black-list all of Spain (or at least some significant geography) because of this problem. Let's see if we can come up with some other subterfuge.
I have a suspicion... but need more time to investigate.
Once I have more information together, we should do the redirect one more time, and hopefully we get the same reaction back. Chances are that we might be able to track the origin of downloads back to a certain country (which is not Spain).
Some people just don't respect others.
They waste resources just because they can do it without any repercussions.
Use whois to find responsible ISP abuse contact address and send them a letter about botnet DDOS activity.
ISP should take action up to incriminated contract suspension.
I'm part of guifi.net community (Catalonia zone) and we don't consume this kind of routers that much. Our preferred openwrt target is ubiquiti nanostation m5 xw
The professional guifi ISP operators prefers stock firmware (in general they don't like openwrt), and the community, particularly the qmp community and so on uses a variety of devices as home routers.
This looks to me to be a small ISP that grew in different zones following this hype [1] (probably a reseller of traditional ISPs?); 1043v1 is not available anymore in the market (so probably they bought a bunch of them and still need to support it). In each zone there is a continuous integration thing that fetches to this server.
What I would do:
redirect link temporarily (by IP, by country, as you want) to a message explaining that this target is being abused, and put a reference to this forum
temporarily means 1 week, 1 month; a time where people think about a different solution not involving external resources