Just so I understand, you decided to protest this pricing not by boycotting the service, or making a public statement about it, but instead by targeting an employee's use of the platform with an attack? I'm sorry, I really don't get why you did this or why you thought it would be effective.
I think whichever PoP india gets served by was very overloaded, resulting in a lot of timeouts, so when wget retries (I set infinite retry attempts), it will do a range request from wherever it left off
sammy811 is claiming responsibility for the small attack on the video platform.
Nobody's claimed responsibility for the main attack, but the answer is probably "mostly Tor + a bunch of open proxies". There's probably easily available databases of those available somewhere?
Tor's exit relays, like all non-bridge relays, are listed publicly [0] (by necessity, that's how the client chooses a circuit). You can see in the screenshot of whatever you're using to monitor by GeoIP that Tor traffic already gets counted separately. Of the request counts visible, it's making up at most ~6% of them, which makes sense -- Tor is a pretty poor platform to launch a DDoS from, since the relays are already decently saturated, and you're eating the cost from the circuit building (negligible in the normal web browsing case, but quickly adds up when you're trying to create as many TCP streams as you can).
