It's been different files and scripts, but mostly just files, being accessed at a high count of one IP like that.
Here's an example from log files for one case:
Quote:
60.50.105.33 - - [18/Nov/2008:08:45:04 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 91022 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:06 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 227228 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:13 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 115944 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:14 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 157814 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 156708 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 203672 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 198600 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Netstat showed that IP many times, so it wasn't their computer downloading a video a bit at a time. It looked more like they were downloading the same video a high number of times at once. There are about 400 videos there, so it wasn't 50 different people with the same OS and same gateway downloading the same video at the same time.
That IP is from Malaysia.
The host is: 33.105.50.60.klj03-home.tm.net.my and is probably from MY (MALAYSIA)
Most of the high count IPs have been from Malaysia, Taiwan, Poland, Japan and China.
When the server first started having high load trouble, I found the high number of connections to one file and renamed the file, then minutes later the same IP would have a high number of connections to a different file, then I blocked the IP from that site and minutes later the same file was being accessed a high number of times from a different IP. I wrote a little script to block IPs from that site automatically, then the IP would just keep changing and show as being from different countries. The script would just block access to the one site which meant giving a 403 page each time. Next thing I knew, the volume was climbing and they were just getting the 403 page 100 times a second. Definitely looked to me like someone was trying to crash the server, so I had to look into blocking them from the whole server.
Since I started running my auto iptables script a week ago, the server load has pretty much quit spiking.
The odds of many people from one company on the same router going to a site at the same time is quite slim, but later on I can adjust my script to check the log files to see if the IPs are all accessing the same file and using the same browser which would help prevent them from being blocked.