cp2 has used 1TB since JANUARY 17th.
cp4 has used 500GB since JANUARY 4th.

If this has increased traffic, it’s coming from the Americas. If it’s abuse, it’s also coming from the Americas.

Let's retrieve some Varnish Traffic graphs, jan. 20, 2019 23:24:34 to jan. 21, 2019 17:58:02.

cp2:

                 max        avg          total
frontend  2.567 MiB	263 KiB	     282.282 MiB
backend  1.460 MiB	189 KiB	      202.572 MiB

cp4:

                 max        avg          total
frontend  1.55 MiB	  163 KiB	174.79 MiB
backend  6.30 MiB	  122 KiB	130.60 MiB

Based on this graph, cp2's bandwidth usage is approximately 58.6% higher. The actual number in 'vnstat -d -i venet0' actually fluctuates very much (between 21 and 84% higher for a given day), but John's comment seems just about right. cp2 is serving way more traffic than any other cache proxy.

@Paladox pointed out that requests in the cp2 access log with User-Agent 'SemrushBot' popped up quite frequently. I did an investigation on this and could confirm SemrushBot has been responsible for 20% or more of all requests recorded in the access log between 18/Jan/2019:05:43:16 +0000 and 21/Jan/2019:05:43:16 +0000.

It is possible this bot contributed to the suspension of those servers. I have banned this bot for life now, so if traffic usage per day drops considerably now, we know who was responsible.