Got a note from an ISP today indicating that my website
was suspended due to data transfer over-use for the month. (>50G)
It's only the 7th day of the month and this hadn't been a
problem in the 6 years they'd hosted the service.

Turns out that three chinese sources had downloaded the same
set of files, each 262 times. That would do it.

So, anyone else looking to update bipolar semiconductor,
packaging or spice parameter spreadsheets; look at K.A.Pullen's
'Conductance Design Curve Manual' or any of the other bits
stored at ve3ute.ca are out of luck, for the rest of the month .

Seems strange that the same three addresses downloaded the
same files, the same number of times. Is this a denial of
service attack?

RL

On 07/03/2024 17:49, legg wrote:
> Got a note from an ISP today indicating that my website
> was suspended due to data transfer over-use for the month. (>50G)
> It's only the 7th day of the month and this hadn't been a
> problem in the 6 years they'd hosted the service.
>
> Turns out that three chinese sources had downloaded the same
> set of files, each 262 times. That would do it.
>
> So, anyone else looking to update bipolar semiconductor,
> packaging or spice parameter spreadsheets; look at K.A.Pullen's
> 'Conductance Design Curve Manual' or any of the other bits
> stored at ve3ute.ca are out of luck, for the rest of the month .
>
> Seems strange that the same three addresses downloaded the
> same files, the same number of times. Is this a denial of
> service attack?
>
> RL

I have seen DNS servers in China poisoned in such a way that lookups
of sites that are deemed to be inappropriate are responded to with the
address of some random but genuine site. This happened to a company in
the UK and resulted in a huge amount of traffic.
Why such a DNS poisoning would lead to lots of downloads is less obvious.
John

On 3/7/2024 10:49 AM, legg wrote:
> Got a note from an ISP today indicating that my website
> was suspended due to data transfer over-use for the month. (>50G)
> It's only the 7th day of the month and this hadn't been a
> problem in the 6 years they'd hosted the service.
>
> Turns out that three chinese sources had downloaded the same
> set of files, each 262 times. That would do it.
>
> So, anyone else looking to update bipolar semiconductor,
> packaging or spice parameter spreadsheets; look at K.A.Pullen's
> 'Conductance Design Curve Manual' or any of the other bits
> stored at ve3ute.ca are out of luck, for the rest of the month .
>
> Seems strange that the same three addresses downloaded the
> same files, the same number of times. Is this a denial of
> service attack?

Of sorts.

You might look at the *times* to see if it looks "mechanical"
or "human initiated".

You could change your "service" to one that delivers *requested*
content; email driven so you can insert your own metering function
in that loop. Or, a combination of the two -- hide the content
and return a one-time, unique, time-limited URL as the result of
an *approved* email request...

[Or, you can *hide* your site and only make it available by
invitation]

A quick response from the ISP says they're blocking
the three hosts and 'monitoring the situatio'.

All the downloading was occuring between certain
hours of the day in sequence - first one host
between 11 and 12pm. one days rest, then the
second host at the same timeon the third day,
then the third host on the fourth day.

Same files 262 times each, 17Gb each.

Not normal web activity, as I know it.

RL

On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
<legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:

>A quick response from the ISP says they're blocking
>the three hosts and 'monitoring the situatio'.
>
>All the downloading was occuring between certain
>hours of the day in sequence - first one host
>between 11 and 12pm. one days rest, then the
>second host at the same timeon the third day,
>then the third host on the fourth day.
>
>Same files 262 times each, 17Gb each.
>
>Not normal web activity, as I know it.
>
>RL

Many sites have a 'I m not a bot' sort of thing you have to go through to get access.

On 07/03/2024 17:49, legg wrote:
> Got a note from an ISP today indicating that my website
> was suspended due to data transfer over-use for the month. (>50G)
> It's only the 7th day of the month and this hadn't been a
> problem in the 6 years they'd hosted the service.
>
> Turns out that three chinese sources had downloaded the same
> set of files, each 262 times. That would do it.

Much as I *hate* Captcha this is the sort of DOS attack that it helps to
prevent. The other option is to add a script to tarpit or block
completely second or third requests for the same large files coming from
the same IP address occurring within the hour.

> So, anyone else looking to update bipolar semiconductor,
> packaging or spice parameter spreadsheets; look at K.A.Pullen's
> 'Conductance Design Curve Manual' or any of the other bits
> stored at ve3ute.ca are out of luck, for the rest of the month .
>
> Seems strange that the same three addresses downloaded the
> same files, the same number of times. Is this a denial of
> service attack?

Quite likely. Your ISP should be able to help you with this if they are
any good. Most have at least some defences against ridiculous numbers of
downloads or other traffic coming from the same bad actor source.

Provided that you don't have too many customers in mainland china
blacklist the main zones of their IP address range:

https://lite.ip2location.com/china-ip-address-ranges?lang=en_US

One rogue hammering your site is just run of the mill bad luck but three
of them doing it in quick succession looks very suspicious to me.

--
Martin Brown

On Fri, 8 Mar 2024 11:16:46 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:

>On 07/03/2024 17:49, legg wrote:
>> Got a note from an ISP today indicating that my website
>> was suspended due to data transfer over-use for the month. (>50G)
>> It's only the 7th day of the month and this hadn't been a
>> problem in the 6 years they'd hosted the service.
>>
>> Turns out that three chinese sources had downloaded the same
>> set of files, each 262 times. That would do it.
>
>Much as I *hate* Captcha this is the sort of DOS attack that it helps to
>prevent. The other option is to add a script to tarpit or block
>completely second or third requests for the same large files coming from
>the same IP address occurring within the hour.
>
>> So, anyone else looking to update bipolar semiconductor,
>> packaging or spice parameter spreadsheets; look at K.A.Pullen's
>> 'Conductance Design Curve Manual' or any of the other bits
>> stored at ve3ute.ca are out of luck, for the rest of the month .
>>
>> Seems strange that the same three addresses downloaded the
>> same files, the same number of times. Is this a denial of
>> service attack?
>
>Quite likely. Your ISP should be able to help you with this if they are
>any good. Most have at least some defences against ridiculous numbers of
>downloads or other traffic coming from the same bad actor source.
>
>Provided that you don't have too many customers in mainland china
>blacklist the main zones of their IP address range:
>
>https://lite.ip2location.com/china-ip-address-ranges?lang=en_US
>
>One rogue hammering your site is just run of the mill bad luck but three
>of them doing it in quick succession looks very suspicious to me.

Beijin, Harbin and roaming.

Yeah. You gotta ask yourself; what's the friggin' point?

RL

On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
wrote:

>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
><legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>
>>A quick response from the ISP says they're blocking
>>the three hosts and 'monitoring the situatio'.
>>
>>All the downloading was occuring between certain
>>hours of the day in sequence - first one host
>>between 11 and 12pm. one days rest, then the
>>second host at the same timeon the third day,
>>then the third host on the fourth day.
>>
>>Same files 262 times each, 17Gb each.
>>
>>Not normal web activity, as I know it.
>>
>>RL
>
>Many sites have a 'I m not a bot' sort of thing you have to go through to get access.

Any idea what's involved - preferably anything that doesn't
owe to Google?

ISP bumped up limit for this month as courtesy, after blocking the
first three hosts, but a fourth host just gobbled that up.

3rd March
1.82.160.27
Chinanet Shaanxi, China telecom #56 Gaoxin St Beijing 100032

5th March
183.197.52.166
China Mobile Communications

6th March
42.184.167.97
Chinanet Heilongjiang, Heilongjiang Telecom,#178 Zhongshan Rd Haerbin
150040

8th March
106.46.35.206
Chinanet Henan, Henan Telecom

I'd like to limit traffic data volume by any host to <500M,
or <50M in 24hrs. It's all ftp.

Have access to Pldesk, but am unfamiliar with capabilities
and clued out how to do much of anything save file transfer.

RL

On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
<legg@nospam.magma.ca> wrote in <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:

>On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
>wrote:
>
>>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
>><legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>>
>>>A quick response from the ISP says they're blocking
>>>the three hosts and 'monitoring the situatio'.
>>>
>>>All the downloading was occuring between certain
>>>hours of the day in sequence - first one host
>>>between 11 and 12pm. one days rest, then the
>>>second host at the same timeon the third day,
>>>then the third host on the fourth day.
>>>
>>>Same files 262 times each, 17Gb each.
>>>
>>>Not normal web activity, as I know it.
>>>
>>>RL
>>
>>Many sites have a 'I m not a bot' sort of thing you have to go through to get access.
>
>
>Any idea what's involved - preferably anything that doesn't
>owe to Google?
>...
>I'd like to limit traffic data volume by any host to <500M,
>or <50M in 24hrs. It's all ftp.

I no longer run an ftp server (for many years now),
the old one here needed a password.
Some parts of my website used to be password protected.
When I ask google for "how to add a captcha to your website"
I see many solutions, for example this:
https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/

Maybe some html guru here nows?

Jan Panteltje <alien@comet.invalid> wrote:

> On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
> <legg@nospam.magma.ca> wrote in <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:
>
> >On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
> >wrote:
> >
> >>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
> >><legg@nospam.magma.ca> wrote in
> >><6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
> >>
> >>>A quick response from the ISP says they're blocking
> >>>the three hosts and 'monitoring the situatio'.
> >>>
> >>>All the downloading was occuring between certain
> >>>hours of the day in sequence - first one host
> >>>between 11 and 12pm. one days rest, then the
> >>>second host at the same timeon the third day,
> >>>then the third host on the fourth day.
> >>>
> >>>Same files 262 times each, 17Gb each.
> >>>
> >>>Not normal web activity, as I know it.
> >>>
> >>>RL
> >>
> >>Many sites have a 'I m not a bot' sort of thing you have to go through
> >to get access.
> >
> >
> >Any idea what's involved - preferably anything that doesn't
> >owe to Google?
> >...
> >I'd like to limit traffic data volume by any host to <500M,
> >or <50M in 24hrs. It's all ftp.
>
> I no longer run an ftp server (for many years now),
> the old one here needed a password.
> Some parts of my website used to be password protected.
> When I ask google for "how to add a captcha to your website"
> I see many solutions, for example this:
>
> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-ht
> ml-and-javascript/
>
> Maybe some html guru here nows?

If you can password-protect the pages, why not do that but include the
password in the text so that any human can see it and copy it? i.e.

~~~~~~~~
To prove you are human you must type in the password, the password is
ABC
Password: ___

~~~~~~~~

I don't think there is an easy way of writing anything automatic in the
HTML Body text but you might be able to add a script to the Head that
checks the IP address and blocks the ones you don't want.

If you can write PHP, you could easily write your own version of Captcha
or write a script that limits the number of repeat visits from the same
IP address in a given time. Mixing PHP into HTML pages is easy but you
have to change the file extension of each page from .htm to .php

Servers generally have facilities for PHP already built-in and the W3
Schools tutorials can get you started.

--
~ Liz Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk

On Sun, 10 Mar 2024 06:08:15 GMT, Jan Panteltje <alien@comet.invalid>
wrote:

>On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
><legg@nospam.magma.ca> wrote in <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:
>
>>On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
>>wrote:
>>
>>>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
>>><legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>>>
>>>>A quick response from the ISP says they're blocking
>>>>the three hosts and 'monitoring the situatio'.
>>>>
>>>>All the downloading was occuring between certain
>>>>hours of the day in sequence - first one host
>>>>between 11 and 12pm. one days rest, then the
>>>>second host at the same timeon the third day,
>>>>then the third host on the fourth day.
>>>>
>>>>Same files 262 times each, 17Gb each.
>>>>
>>>>Not normal web activity, as I know it.
>>>>
>>>>RL
>>>
>>>Many sites have a 'I m not a bot' sort of thing you have to go through to get access.
>>
>>
>>Any idea what's involved - preferably anything that doesn't
>>owe to Google?
>>...
>>I'd like to limit traffic data volume by any host to <500M,
>>or <50M in 24hrs. It's all ftp.
>
>I no longer run an ftp server (for many years now),
>the old one here needed a password.
>Some parts of my website used to be password protected.
>When I ask google for "how to add a captcha to your website"
>I see many solutions, for example this:
> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/
>
>Maybe some html guru here nows?

That looks like it's good for accessing an html page.
So far the chinese are accessing the top level index, where
files are offered for download at a click.

Ideally, if they can't access the top level, a direct address
access to the files might be prevented?

The website's down after a fifth excursion pushed volumes above
85g on a 70G temporary extension. What's the bet it was 17G
accumulated in 262 'visits'.

Can't ID that final hosts IP address while I'm locked out.

Luckily (~) for users, you can still access most of the usefull
files, updated in January 2024, through the Wayback Machine.

https://web.archive.org/web/20240000000000*/http://www.ve3ute.ca/

Probably the best place for it, in some people's opinion, anyways.

YOU can make stuff available to others, in the future, by 'suggesting'
relevent site addresses to the Internet Archive, if they're not
already being covered.

Once a 'captcha' or other security device is added, you can kiss
Wayback updates goodbye, as most bots will get the message.
I don't mind bots - thay can do good work.

Pity you can't just put stuff up in the public domain without
this kind of bullshit.

RL

On Sun, 10 Mar 2024 09:28:12 +0000, liz@poppyrecords.invalid.invalid
(Liz Tuddenham) wrote:

>If you can password-protect the pages, why not do that but include the
>password in the text so that any human can see it and copy it? i.e.
>
>~~~~~~~~
>To prove you are human you must type in the password, the password is
>ABC
>Password: ___
>
>~~~~~~~~

That doesn't work if humans are doing the work in human Captcha
solving services:

"I Was a Human CAPTCHA Solver"
<https://www.f5.com/labs/articles/cisotociso/i-was-a-human-captcha-solver>

More of the same:
<https://www.google.com/search?q=captcha+solving+services>

--
Jeff Liebermann jeffl@cruzio.com
PO Box 272 http://www.LearnByDestroying.com
Ben Lomond CA 95005-0272
Skype: JeffLiebermann AE6KS 831-336-2558

On 3/10/2024 10:47 AM, legg wrote:
> So far the chinese are accessing the top level index, where
> files are offered for download at a click.
>
> Ideally, if they can't access the top level, a direct address
> access to the files might be prevented?

Many file sharing services deliberately do NOT offer access
to a "folder index" for similar reasons. This allows the
owner of the file(s) to publish specific links to individual files
while keeping the folder, itself, hidden.

This is done by creating unique URLs for each file.
I.e., instead of ..../foldername/filename you publish
..../foldername/pseudorandomappearingstring/filename
where "foldername" is some bogus sequence of characters
and pseudorandomappearingstring varies from file to file!

> The website's down after a fifth excursion pushed volumes above
> 85g on a 70G temporary extension. What's the bet it was 17G
> accumulated in 262 'visits'.
>
> Can't ID that final hosts IP address while I'm locked out.
>
> Luckily (~) for users, you can still access most of the usefull
> files, updated in January 2024, through the Wayback Machine.
>
> https://web.archive.org/web/20240000000000*/http://www.ve3ute.ca/
>
> Probably the best place for it, in some people's opinion, anyways.

There's no guarantee that the *files* will be accessible via those
links. I have often gone looking for something that has disappeared
from its original home and able to find the *pages* that reference
them but not the actual *payloads*. (this happened as recently as
yesterday)

Pages take up far less space than payloads, typically, so it is
understandable that they would capture the page but not the
files referenced from it.

> YOU can make stuff available to others, in the future, by 'suggesting'
> relevent site addresses to the Internet Archive, if they're not
> already being covered.
>
> Once a 'captcha' or other security device is added, you can kiss
> Wayback updates goodbye, as most bots will get the message.
> I don't mind bots - thay can do good work.
>
> Pity you can't just put stuff up in the public domain without
> this kind of bullshit.

Making it accessible to *all* means you have to expect *all* to
access it. Hard to blame your ISP for wanting to put a limit on the
traffic to the site (my AUP forbids me from operating a public
server so I have to use more clandestine means of "publishing")

If demand is low enough (you can determine that by looking at past
"legitimate" traffic), you can insert yourself in the process by
requesting a form completion: "These are the things that I have
available. Type the name of the item into the box provided"

This eliminates LINKS on the page and requires someone who can
read the text to identify the item(s) of interest. This allows
you to intervene even if the "user" is not a 'bot but a poorly
paid urchin trying to harvest content.

On 2024-03-10, legg <legg@nospam.magma.ca> wrote:
> On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
> wrote:
>
>>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
>><legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>>
>>>A quick response from the ISP says they're blocking
>>>the three hosts and 'monitoring the situatio'.
>>>
>>>All the downloading was occuring between certain
>>>hours of the day in sequence - first one host
>>>between 11 and 12pm. one days rest, then the
>>>second host at the same timeon the third day,
>>>then the third host on the fourth day.
>>>
>>>Same files 262 times each, 17Gb each.
>>>
>>>Not normal web activity, as I know it.
>>>
>>>RL
>>
>>Many sites have a 'I m not a bot' sort of thing you have to go through to get access.
>
>
> Any idea what's involved - preferably anything that doesn't
> owe to Google?

> I'd like to limit traffic data volume by any host to <500M,
> or <50M in 24hrs. It's all ftp.

FTP makes it harder, you'll prably need to process the FTP logs and
put in a firewall rule once an ip address has exceeded their quota.
it may be possible to configure fail2ban to do this or you might have
to write your own script.

> Have access to Pldesk, but am unfamiliar with capabilities
> and clued out how to do much of anything save file transfer.

You'll probably need a root shell to do this setup.

--
Jasen.
🇺🇦 Слава Україні

On a sunny day (Sun, 10 Mar 2024 13:47:48 -0400) it happened legg
<legg@nospam.magma.ca> wrote in <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com>:

>On Sun, 10 Mar 2024 06:08:15 GMT, Jan Panteltje <alien@comet.invalid>
>wrote:
>
>>On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
>><legg@nospam.magma.ca> wrote in <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:
>>
>>>On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
>>>wrote:
>>>
>>>>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
>>>><legg@nospam.magma.ca> wrote in <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>>>>
>>>>>A quick response from the ISP says they're blocking
>>>>>the three hosts and 'monitoring the situatio'.
>>>>>
>>>>>All the downloading was occuring between certain
>>>>>hours of the day in sequence - first one host
>>>>>between 11 and 12pm. one days rest, then the
>>>>>second host at the same timeon the third day,
>>>>>then the third host on the fourth day.
>>>>>
>>>>>Same files 262 times each, 17Gb each.
>>>>>
>>>>>Not normal web activity, as I know it.
>>>>>
>>>>>RL
>>>>
>>>>Many sites have a 'I m not a bot' sort of thing you have to go through to get access.
>>>
>>>
>>>Any idea what's involved - preferably anything that doesn't
>>>owe to Google?
>>>...
>>>I'd like to limit traffic data volume by any host to <500M,
>>>or <50M in 24hrs. It's all ftp.
>>
>>I no longer run an ftp server (for many years now),
>>the old one here needed a password.
>>Some parts of my website used to be password protected.
>>When I ask google for "how to add a captcha to your website"
>>I see many solutions, for example this:
>> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/
>>
>>Maybe some html guru here nows?
>
>That looks like it's good for accessing an html page.
>So far the chinese are accessing the top level index, where
>files are offered for download at a click.
>
>Ideally, if they can't access the top level, a direct address
>access to the files might be prevented?

What I am doing now is using a html://mywebsite/pub/ directory
with lots of files in it that I want to publish in for example this newsgroup,
I then just post a direct link to that file.
So it has no index file and no links to it from the main site.
It has many sub directories too.
https://panteltje.nl/pub/GPS_to_USB_module_component_site_IXIMG_1360.JPG
https://panteltje.nl/pub/pwfax-0.1/README

So you need the exact link to access anything
fine for publishing here...
Maybe Usenet conversations are saved somewhere ? google still holds the archive?
I have most postings saved here on the Raspberry Pi4 8GB I am using for web browsing and Usenet
for what I found interesting back to 2006, older to back 1998 maybe on the old PC upstairs

raspberrypi: ~/.NewsFleX # l
total 692
-rw-r--r-- 1 root root 21971 Jan 9 2006 NewsFleX.xpm
-rw-r--r-- 1 root root 2576 Jul 30 2006 newsservers.dat.bak
drwxr-xr-x 5 root root 4096 Apr 1 2008 news.isu.edu.tw/
drwxr-xr-x 5 root root 4096 Apr 1 2008 textnews.news.cambrium.nl/
-rw-r--r-- 1 root root 1 Mar 5 2009 global_custom_head
drwx------ 4 root root 4096 Dec 6 2009 http/
-rw-r--r-- 1 root root 99 Apr 4 2010 signature.org
-rw-r--r-- 1 root root 8531 Apr 4 2010 signature~
-rw-r--r-- 1 root root 8531 Apr 4 2010 signature
-rw-r--r-- 1 root root 816 Nov 9 2011 filters.dat.OK
drwxr-xr-x 3 root root 4096 Jul 5 2012 nntp.ioe.org/
drwxr-xr-x 2 root root 4096 Mar 30 2015 news.altopia.com/
drwxr-xr-x 25 root root 4096 Mar 1 2020 news2.datemas.de/
drwxr-xr-x 109 root root 4096 Jun 1 2020 news.albasani.net/
drwxr-xr-x 2 root root 4096 Nov 28 2020 setup/
drwxr-xr-x 10 root root 4096 Mar 1 2021 news.ziggo.nl/
drwxr-xr-x 6 root root 4096 Jun 1 2021 news.chello.nl/
drwxr-xr-x 2 root root 4096 Aug 19 2021 news.neodome.net/
drwxr-xr-x 6 root root 4096 Sep 1 2022 news.tornevall.net/
drwxr-xr-x 156 root root 4096 Nov 1 2022 news.datemas.de/
drwxr-xr-x 23 root root 4096 Jan 1 2023 news.aioe.cjb.net/
drwxr-xr-x 4 root root 4096 Jan 1 2023 news.cambrium.nl/
drwxr-xr-x 52 root root 4096 Jan 1 2023 news.netfront.net/
drwxr-xr-x 60 root root 4096 Feb 1 2023 freenews.netfront.net/
-rw-r--r-- 1 root root 1651 Feb 1 2023 urls.dat~
drwxr-xr-x 49 root root 4096 Apr 2 2023 freetext.usenetserver.com/
-rw-r--r-- 1 root root 1698 Apr 18 2023 urls.dat
drwxr-xr-x 15 root root 4096 Aug 2 2023 localhost/
drwxr-xr-x 11 root root 4096 Dec 15 06:57 194.177.96.78/
drwxr-xr-x 190 root root 4096 Dec 15 06:58 nntp.aioe.org/
-rw-r--r-- 1 root root 1106 Feb 23 06:43 error_log.txt
-rw-r--r-- 1 root root 966 Feb 23 13:33 filters.dat~
-rw-r--r-- 1 root root 973 Mar 2 06:28 filters.dat
drwxr-xr-x 57 root root 4096 Mar 3 11:42 news.eternal-september.org/
drwxr-xr-x 14 root root 4096 Mar 3 11:42 news.solani.org/
drwxr-xr-x 197 root root 4096 Mar 3 11:42 postings/
-rw-r--r-- 1 root root 184263 Mar 6 04:45 newsservers.dat~
-rw-r--r-- 1 root root 2407 Mar 6 04:45 posting_periods.dat~
-rw-r--r-- 1 root root 0 Mar 6 06:27 lockfile
-rw-r--r-- 1 root root 87 Mar 6 06:27 kernel_version
-rw-r--r-- 1 root root 107930 Mar 6 06:27 fontlist.txt
-rw-r--r-- 1 root root 184263 Mar 6 06:27 newsservers.dat
-rw-r--r-- 1 root root 2407 Mar 6 06:27 posting_periods.dat
.....
lots of newsservers came and went over time...

I have backups of my website on harddisk, optical and of course my hosting provider.

> On a sunny day (Sun, 10 Mar 2024 13:47:48 -0400) it happened legg
> <legg@nospam.magma.ca> wrote in
> <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com>:
>
>>On Sun, 10 Mar 2024 06:08:15 GMT, Jan Panteltje <alien@comet.invalid>
>>wrote:
>>
>>>On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
>>><legg@nospam.magma.ca> wrote in
>>><u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:
>>>
>>>>On Fri, 08 Mar 2024 06:43:49 GMT, Jan Panteltje <alien@comet.invalid>
>>>>wrote:
>>>>
>>>>>On a sunny day (Thu, 07 Mar 2024 17:12:27 -0500) it happened legg
>>>>><legg@nospam.magma.ca> wrote in
>>>>><6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com>:
>>>>>
>>>>>>A quick response from the ISP says they're blocking the three hosts
>>>>>>and 'monitoring the situatio'.
>>>>>>
>>>>>>All the downloading was occuring between certain hours of the day in
>>>>>>sequence - first one host between 11 and 12pm. one days rest, then
>>>>>>the second host at the same timeon the third day,
>>>>>>then the third host on the fourth day.
>>>>>>
>>>>>>Same files 262 times each, 17Gb each.
>>>>>>
>>>>>>Not normal web activity, as I know it.
>>>>>>
>>>>>>RL
>>>>>
>>>>>Many sites have a 'I m not a bot' sort of thing you have to go
>>>>>through to get access.
>>>>
>>>>
>>>>Any idea what's involved - preferably anything that doesn't owe to
>>>>Google?
>>>>...
>>>>I'd like to limit traffic data volume by any host to <500M,
>>>>or <50M in 24hrs. It's all ftp.
>>>
>>>I no longer run an ftp server (for many years now),
>>>the old one here needed a password.
>>>Some parts of my website used to be password protected.
>>>When I ask google for "how to add a captcha to your website"
>>>I see many solutions, for example this:
>>> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-
in-html-and-javascript/
>>>
>>>Maybe some html guru here nows?
>>
>>That looks like it's good for accessing an html page.
>>So far the chinese are accessing the top level index, where files are
>>offered for download at a click.
>>
>>Ideally, if they can't access the top level, a direct address access to
>>the files might be prevented?
>
> What I am doing now is using a html://mywebsite/pub/ directory with lots
> of files in it that I want to publish in for example this newsgroup,
> I then just post a direct link to that file.
> So it has no index file and no links to it from the main site.
> It has many sub directories too.
> https://panteltje.nl/pub/
GPS_to_USB_module_component_site_IXIMG_1360.JPG
> https://panteltje.nl/pub/pwfax-0.1/README
>
> So you need the exact link to access anything fine for publishing
> here...
> Maybe Usenet conversations are saved somewhere ? google still holds the
> archive?
> I have most postings saved here on the Raspberry Pi4 8GB I am using for
> web browsing and Usenet for what I found interesting back to 2006, older
> to back 1998 maybe on the old PC upstairs
>
> raspberrypi: ~/.NewsFleX # l total 692 -rw-r--r-- 1 root root 21971
> Jan 9 2006 NewsFleX.xpm -rw-r--r-- 1 root root 2576 Jul 30 2006
> newsservers.dat.bak drwxr-xr-x 5 root root 4096 Apr 1 2008
> news.isu.edu.tw/
> drwxr-xr-x 5 root root 4096 Apr 1 2008 textnews.news.cambrium.nl/
> -rw-r--r-- 1 root root 1 Mar 5 2009 global_custom_head
> drwx------ 4 root root 4096 Dec 6 2009 http/
> -rw-r--r-- 1 root root 99 Apr 4 2010 signature.org -rw-r--r--
> 1 root root 8531 Apr 4 2010 signature~
> -rw-r--r-- 1 root root 8531 Apr 4 2010 signature -rw-r--r-- 1
> root root 816 Nov 9 2011 filters.dat.OK drwxr-xr-x 3 root root
> 4096 Jul 5 2012 nntp.ioe.org/
> drwxr-xr-x 2 root root 4096 Mar 30 2015 news.altopia.com/
> drwxr-xr-x 25 root root 4096 Mar 1 2020 news2.datemas.de/
> drwxr-xr-x 109 root root 4096 Jun 1 2020 news.albasani.net/
> drwxr-xr-x 2 root root 4096 Nov 28 2020 setup/
> drwxr-xr-x 10 root root 4096 Mar 1 2021 news.ziggo.nl/
> drwxr-xr-x 6 root root 4096 Jun 1 2021 news.chello.nl/
> drwxr-xr-x 2 root root 4096 Aug 19 2021 news.neodome.net/
> drwxr-xr-x 6 root root 4096 Sep 1 2022 news.tornevall.net/
> drwxr-xr-x 156 root root 4096 Nov 1 2022 news.datemas.de/
> drwxr-xr-x 23 root root 4096 Jan 1 2023 news.aioe.cjb.net/
> drwxr-xr-x 4 root root 4096 Jan 1 2023 news.cambrium.nl/
> drwxr-xr-x 52 root root 4096 Jan 1 2023 news.netfront.net/
> drwxr-xr-x 60 root root 4096 Feb 1 2023 freenews.netfront.net/
> -rw-r--r-- 1 root root 1651 Feb 1 2023 urls.dat~
> drwxr-xr-x 49 root root 4096 Apr 2 2023 freetext.usenetserver.com/
> -rw-r--r-- 1 root root 1698 Apr 18 2023 urls.dat drwxr-xr-x 15
> root root 4096 Aug 2 2023 localhost/
> drwxr-xr-x 11 root root 4096 Dec 15 06:57 194.177.96.78/
> drwxr-xr-x 190 root root 4096 Dec 15 06:58 nntp.aioe.org/
> -rw-r--r-- 1 root root 1106 Feb 23 06:43 error_log.txt -rw-r--r--
> 1 root root 966 Feb 23 13:33 filters.dat~
> -rw-r--r-- 1 root root 973 Mar 2 06:28 filters.dat drwxr-xr-x 57
> root root 4096 Mar 3 11:42 news.eternal-september.org/
> drwxr-xr-x 14 root root 4096 Mar 3 11:42 news.solani.org/
> drwxr-xr-x 197 root root 4096 Mar 3 11:42 postings/
> -rw-r--r-- 1 root root 184263 Mar 6 04:45 newsservers.dat~
> -rw-r--r-- 1 root root 2407 Mar 6 04:45 posting_periods.dat~
> -rw-r--r-- 1 root root 0 Mar 6 06:27 lockfile -rw-r--r-- 1
> root root 87 Mar 6 06:27 kernel_version -rw-r--r-- 1 root root
> 107930 Mar 6 06:27 fontlist.txt -rw-r--r-- 1 root root 184263 Mar 6
> 06:27 newsservers.dat -rw-r--r-- 1 root root 2407 Mar 6 06:27
> posting_periods.dat ....
> lots of newsservers came and went over time...
>
> I have backups of my website on harddisk, optical and of course my
> hosting provider.

You may find the file:

/etc/hosts.deny

useful in this case, you can block by name(s) or ip(s).
Man hosts,deny
for more info

--
Jim Whitby

Famous, adj.:
Conspicuously miserable.
-- Ambrose Bierce, "The Devil's Dictionary"
----------------------
Mageia release 9 (Official) for x86_64
6.6.18-server-1.mga9 unknown
----------------------

On 3/10/2024 11:43 PM, jim whitby wrote:
> You may find the file:
>
> /etc/hosts.deny
>
> useful in this case, you can block by name(s) or ip(s).
> Man hosts,deny
> for more info

My read is not that *he* is having traffic throttled to a
server that *he* operates but, rather, that traffic to
a (virtual) server that his ISP operates on his behalf
is being throttled. I.e., his subscription allows 50GB/month
(and some amount of storage space) and that is being exceeded
by "unfriendly" clients.

As he has no direct control over traffic, he is at the mercy of
unknown (in this case, chinese) users to limit THEIR accesses
to his (virtual) site. I.e., his *provider* needs to restrict
unwanted accesses.

Sort of like complaining to your cellular provider that you are
getting too many text messages from people that you don't want
to hear from and these are eating into your monthly quota...

On a sunny day (Mon, 11 Mar 2024 06:43:34 -0000 (UTC)) it happened jim whitby
<mr.spock@spockmall.net> wrote in <usm96m$3fkqg$1@dont-email.me>:

>You may find the file:
>
>/etc/hosts.deny
>
>useful in this case, you can block by name(s) or ip(s).
>Man hosts,deny
>for more info

I wrote a small script years ago using Linux iptables to reject bad IP adresses.

raspberrypi: ~ # cat /usr/local/sbin_pi_95/ireject
# this is called to add a input deny for an IP addres to ipchains,
# and save the configuration.

if [ "$1" = "" ]
then
echo "Usage: reject IP_address"
exit 1
fi

# OLD ipchains
##ipchains -A input -s $1 -l -j REJECT
#ipchains -L
##ipchains-save > /root/firewall
##echo "reject: ipchains configuration written to /root/firewall"

#iptables -A INPUT -s $1 -p all -j REJECT
#iptables -A INPUT -s $1 -p all -j DROP

echo "executing iptables -A INPUT -s $1 -p all -j DROP"
iptables -A INPUT -s $1 -p all -j DROP

echo "executing iptables -A OUTPUT -s $1 -p all -j REJECT"
iptables -A OUTPUT -s $1 -p all -j REJECT

iptables-save > /root/firewall2

exit 0

Therr is an other one 'load_firewall somewhere.
raspberrypi: ~ # cat /usr/local/sbin_pi_95/load-firewall
iptables -F
#/sbin/ipchains-restore < /root/firewall
/sbin/iptables-restore < /root/firewall2

There were many many entries in /root/firewall back then, daily work to keep track of attacks.
Now I am on a dynamic IP address and the website is handled by a company,
saves a lot of time.

Things evolve all the time, iptables sets this Raspberry Pi with 8 GB memory as router too,
runs with a Huawei 4G USB stick with IP 192.168.8.100 for net connection, anywhere in Europe I think,
an other script:

raspberrypi: # cat /usr/local/sbin/start_4g_router
#!/usr//bin/bash

iptables -F

route add -net 192.168.0.0/16 dev eth0

echo 1 >/proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j SNAT --to-source 192.168.8.100
sleep 1

ifconfig eth0 down
sleep 1

ifconfig eth0 192.168.178.1 up
sleep 1

vnstat -i eth1 -s
sleep 1

# default is set to 192.168.8.1, using 8.8.8.8 and 8.8.4.4 google name server lookup
cp /etc/resolv.conf.GOOGLE /etc/resolv.conf
sleep 1

# reduce swapping
sysctl vm.swappiness=5

echo "ready"

There is more, but then again, things change over time too.

On Mon, 11 Mar 2024 09:53:44 GMT, Jan Panteltje <alien@comet.invalid>
wrote:

>On a sunny day (Mon, 11 Mar 2024 06:43:34 -0000 (UTC)) it happened jim whitby
><mr.spock@spockmall.net> wrote in <usm96m$3fkqg$1@dont-email.me>:
>
>>You may find the file:
>>
>>/etc/hosts.deny
>>
>>useful in this case, you can block by name(s) or ip(s).
>>Man hosts,deny
>>for more info
>
>I wrote a small script years ago using Linux iptables to reject bad IP adresses.
>
>raspberrypi: ~ # cat /usr/local/sbin_pi_95/ireject
># this is called to add a input deny for an IP addres to ipchains,
># and save the configuration.
>
>if [ "$1" = "" ]
>then
> echo "Usage: reject IP_address"
> exit 1
>fi
>
># OLD ipchains
>##ipchains -A input -s $1 -l -j REJECT
>#ipchains -L
>##ipchains-save > /root/firewall
>##echo "reject: ipchains configuration written to /root/firewall"
>
>#iptables -A INPUT -s $1 -p all -j REJECT
>#iptables -A INPUT -s $1 -p all -j DROP
>
>echo "executing iptables -A INPUT -s $1 -p all -j DROP"
>iptables -A INPUT -s $1 -p all -j DROP
>
>echo "executing iptables -A OUTPUT -s $1 -p all -j REJECT"
>iptables -A OUTPUT -s $1 -p all -j REJECT
>
>iptables-save > /root/firewall2
>
>exit 0
>
>Therr is an other one 'load_firewall somewhere.
>raspberrypi: ~ # cat /usr/local/sbin_pi_95/load-firewall
>iptables -F
>#/sbin/ipchains-restore < /root/firewall
>/sbin/iptables-restore < /root/firewall2
>
>
>
>There were many many entries in /root/firewall back then, daily work to keep track of attacks.
>Now I am on a dynamic IP address and the website is handled by a company,
>saves a lot of time.
>
>Things evolve all the time, iptables sets this Raspberry Pi with 8 GB memory as router too,
>runs with a Huawei 4G USB stick with IP 192.168.8.100 for net connection, anywhere in Europe I think,
>an other script:
>
>raspberrypi: # cat /usr/local/sbin/start_4g_router
>#!/usr//bin/bash
>
>iptables -F
>
>route add -net 192.168.0.0/16 dev eth0
>
>echo 1 >/proc/sys/net/ipv4/ip_forward
>
>iptables -t nat -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j SNAT --to-source 192.168.8.100
>sleep 1
>
>ifconfig eth0 down
>sleep 1
>
>ifconfig eth0 192.168.178.1 up
>sleep 1
>
>vnstat -i eth1 -s
>sleep 1
>
># default is set to 192.168.8.1, using 8.8.8.8 and 8.8.4.4 google name server lookup
>cp /etc/resolv.conf.GOOGLE /etc/resolv.conf
>sleep 1
>
># reduce swapping
>sysctl vm.swappiness=5
>
>echo "ready"
>
>
>There is more, but then again, things change over time too.

Blocking a single IP hasn't worked for my ISP.

Each identical 17G download block (262 visits)was by a new IP
in a completely different location/region.

Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
due to suspension of my site.

RL

On Thu, 07 Mar 2024 12:49:30 -0500, legg <legg@nospam.magma.ca> wrote:

>Got a note from an ISP today indicating that my website
>was suspended due to data transfer over-use for the month. (>50G)
>It's only the 7th day of the month and this hadn't been a
>problem in the 6 years they'd hosted the service.
>
>Turns out that three chinese sources had downloaded the same
>set of files, each 262 times. That would do it.
>
>So, anyone else looking to update bipolar semiconductor,
>packaging or spice parameter spreadsheets; look at K.A.Pullen's
>'Conductance Design Curve Manual' or any of the other bits
>stored at ve3ute.ca are out of luck, for the rest of the month .
>
>Seems strange that the same three addresses downloaded the
>same files, the same number of times. Is this a denial of
>service attack?
>
>RL

You can still access most of the usefull files, updated in
January 2024, through the Wayback Machine.

https://web.archive.org/web/20240000000000*/http://www.ve3ute.ca/

Probably the best place for it, in some people's opinion, anyways.

RL

On 3/11/2024 7:40 AM, legg wrote:
> Blocking a single IP hasn't worked for my ISP.

It won't. Even novice users can move to a different IP using reeadily
available mechanisms.

Whitelisting can work (which is the approach that I use) but
it assumes you know who you *want* to access your site.

(It's a lot harder to guess a permitted IP than it is to avoid
an obviously BLOCKED one!)

> Each identical 17G download block (262 visits)was by a new IP
> in a completely different location/region.
>
> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
> due to suspension of my site.

There's a reason things like "captcha" exist.

Note that this still doesn't prevent the *page(s)* from being repeatedly
accessed. But, presumably, their size is considerably smaller than
that of the payloads you want to protect.

OTOH, if someone wants to shut down your account due to an exceeded
quota, they can keep reloading those pages until they've eaten up your
traffic quota. And, "they" can be an automated process!

[Operating a server in stealth mode can avoid this. But, then
you're not "open to the public"! :> ]

On Mon, 11 Mar 2024 06:05:26 GMT, Jan Panteltje <alien@comet.invalid>
wrote:

>On a sunny day (Sun, 10 Mar 2024 13:47:48 -0400) it happened legg
><legg@nospam.magma.ca> wrote in <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com>:
>
>>On Sun, 10 Mar 2024 06:08:15 GMT, Jan Panteltje <alien@comet.invalid>
>>wrote:
>>
>>>On a sunny day (Sat, 09 Mar 2024 20:59:19 -0500) it happened legg
>>><legg@nospam.magma.ca> wrote in <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>:
>>>
<snip>
>>>When I ask google for "how to add a captcha to your website"
>>>I see many solutions, for example this:
>>> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/
>>>
>>>Maybe some html guru here nows?
>>
>>That looks like it's good for accessing an html page.
>>So far the chinese are accessing the top level index, where
>>files are offered for download at a click.
>>
>>Ideally, if they can't access the top level, a direct address
>>access to the files might be prevented?

Using barebones (Netscape) Seamonkey Compser, the Oodlestech
script generates a web page with a 4-figure manually-entered
human test.

How do I get a correct response to open the protected web page?

>
>What I am doing now is using a html://mywebsite/pub/ directory
>with lots of files in it that I want to publish in for example this newsgroup,
>I then just post a direct link to that file.
>So it has no index file and no links to it from the main site.
>It has many sub directories too.
> https://panteltje.nl/pub/GPS_to_USB_module_component_site_IXIMG_1360.JPG
> https://panteltje.nl/pub/pwfax-0.1/README
>
>So you need the exact link to access anything
>fine for publishing here...
<snip>

The top (~index) web page of my site has lists of direct links
to subdirectories, for double-click download by user.

It also has limks to other web pages that, in turn, offer links or
downloads to on-site and off-site locations. A great number of
off-site links are invalid, after ~10-20years of neglect. They'll
probably stay that way until something or somebody convinces me
that it's all not just a waste of time.

At present, I only maintain data links or electronic publications
that need it. This may not be neccessary, as the files are generally
small enough for the Wayback machine to have scooped up most of the
databases and spreadsheets. They're also showing up in other places,
with my blessing. Hell - Wayback even has tube curve pages from the
'Conductance Curve Design Manual' - they've got to be buried 4 folders
deep - and each is a hefty image.

Somebody, please tell me the the 'Internet Archive' is NOT owned
by Google?

Some off-site links for large image-bound mfr-logo-ident web pages
(c/o geek@scorpiorising) seem already to have introduced a
captcha-type routine. Wouldn't need many bot hits to bump that
location into a data limit. Those pages take a long time
simply to load.

Anyway - how to get the Oodlestech script to open the appropriate
page, after vetting the user as being human?

RL

On Mon, 11 Mar 2024 07:48:04 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>On 3/11/2024 7:40 AM, legg wrote:
>> Blocking a single IP hasn't worked for my ISP.
>
>It won't. Even novice users can move to a different IP using reeadily
>available mechanisms.
>
>Whitelisting can work (which is the approach that I use) but
>it assumes you know who you *want* to access your site.
>
>(It's a lot harder to guess a permitted IP than it is to avoid
>an obviously BLOCKED one!)
>
>> Each identical 17G download block (262 visits)was by a new IP
>> in a completely different location/region.
>>
>> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
>> due to suspension of my site.
>
>There's a reason things like "captcha" exist.
>
>Note that this still doesn't prevent the *page(s)* from being repeatedly
>accessed. But, presumably, their size is considerably smaller than
>that of the payloads you want to protect.
>
>OTOH, if someone wants to shut down your account due to an exceeded
>quota, they can keep reloading those pages until they've eaten up your
>traffic quota. And, "they" can be an automated process!
>
>[Operating a server in stealth mode can avoid this. But, then
>you're not "open to the public"! :> ]

Doing some simple experiments by temporarily renaming/replacing
some of the larger files being tageted, just to see how the bot
reacts to the new environment. If they find renamed files it
means something. If visits to get the same 17G alter it means
something else.

This all at the expense and patience of my ISP. Thumbs up there.

RL

On 3/11/2024 9:57 AM, legg wrote:
> Doing some simple experiments by temporarily renaming/replacing
> some of the larger files being tageted, just to see how the bot
> reacts to the new environment. If they find renamed files it
> means something. If visits to get the same 17G alter it means
> something else.

That;s probably a good, inexpensive strategy to see how "active"
your "clients" are. Repeated hits on stale URLs would let you
know they are likely just reprobing from previously stored
results vs. actively *exploring* your site.

[Gotta wonder if they aren't a google/archive wannabe and not
smart enough to just *look* at the site.]

> This all at the expense and patience of my ISP. Thumbs up there.

Be grateful. Many larger corporate providers would just cite
the AUP and your subscription terms and that would be the
end of THAT "discussion".

I run a thin pipe to the house -- my provider would love to
upsell me. But, it's saturated 95% of the time; a fatter
pipe would be idle while I'm away/asleep. As *latency* isn't
an issue, AVERAGE bandwidth remains the same. (as I download
another terabyte of rainbow tables...)

On 11/03/2024 16:57, legg wrote:
> On Mon, 11 Mar 2024 07:48:04 -0700, Don Y
> <blockedofcourse@foo.invalid> wrote:
>
>> On 3/11/2024 7:40 AM, legg wrote:
>>> Blocking a single IP hasn't worked for my ISP.
>>
>> It won't. Even novice users can move to a different IP using reeadily
>> available mechanisms.
>>
>> Whitelisting can work (which is the approach that I use) but
>> it assumes you know who you *want* to access your site.
>>
>> (It's a lot harder to guess a permitted IP than it is to avoid
>> an obviously BLOCKED one!)
>>
>>> Each identical 17G download block (262 visits)was by a new IP
>>> in a completely different location/region.
>>>
>>> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
>>> due to suspension of my site.
>>
>> There's a reason things like "captcha" exist.
>>
>> Note that this still doesn't prevent the *page(s)* from being repeatedly
>> accessed. But, presumably, their size is considerably smaller than
>> that of the payloads you want to protect.
>>
>> OTOH, if someone wants to shut down your account due to an exceeded
>> quota, they can keep reloading those pages until they've eaten up your
>> traffic quota. And, "they" can be an automated process!
>>
>> [Operating a server in stealth mode can avoid this. But, then
>> you're not "open to the public"! :> ]
>
> Doing some simple experiments by temporarily renaming/replacing
> some of the larger files being tageted, just to see how the bot
> reacts to the new environment. If they find renamed files it
> means something. If visits to get the same 17G alter it means
> something else.
>
> This all at the expense and patience of my ISP. Thumbs up there.

Why don't you block entire blocks of Chinese IP addresses that contain
the ones that have attacked you until the problem ceases?
eg. add a few banned IP destinations to your .htaccess file

https://htaccessbook.com/block-ip-address/

1.80.*.* thru 1.95.*.*
101.16.*.* thru 101.16.*.*
101.144.*.* thru 101.159.*.*

If you block just a few big chunks it should make some difference.
You might have to inflict a bit of collateral damage in the 101.* range.

Otherwise you are stuck with adding some Captcha type thing to prevent
malicious bots hammering your site. I'm a bit surprised that your ISP
doesn't offer or have site wide countermeasures for such DOS attacks.

--
Martin Brown