@Codeberg Sorry to hear about your troubles. In this...

@Codeberg Sorry to hear about your troubles. In this post I'll try to explain how I handled a similar situation, albeit at a much smaller scale.

This is about me and my problems hosting Emacs Wiki. In the last two months, it must have ended up on some sort of list. The "attack" usually starts around Friday, driving up load to nearly 40 on my tiny VPS. At first, the only solution I had was to shut down the virtual host.

Eventually, I identified a URL pattern that humans are very unlikely to use and when this "attack" starts I scan the access log for that pattern, take the IP number and then I ban the whole range (!) at the firewall. The idea being that these attacks are not from residential networks and therefore they are safe to ban (for me).

For documentation purposes I also run whois for every rule just so that I know who's doing this.

This is a script that sets up the firewall rules and implements all the bans, with comments from WHOIS, so you can get an idea:
https://alexschroeder.ch/admin/ban-cidr

This is the lookup script I use these days. I effectively only care about the ipset commands it prints and append these to the ban-cidr script listed above.
https://alexschroeder.ch/admin/network-lookup

And here are two blog posts about me discovering what was happening. This one has long lists of example as I was trying to figure out what was happening.
https://alexschroeder.ch/view/2024-09-15-emacs-china

And this is me two months later, still complaining, but also documenting the script setup I use:
https://alexschroeder.ch/view/2024-11-25-emacs-china

Like 30 Nov 2024 at 11:51 | Wall-to-wall | Open on social.alexschroeder.ch