I found the same IPs doing the same thing for my server, but one thing I noticed in the access log was that nginx was returning a 499 status code. That code means that the client closed the connection before the server answered the request. So this seems to be a deliberate attack instead of the rash of bots many have been dealing with recently. They just firehose out requests to DoS the server since pagination on services with dynamic data is expensive.
I ended up creating a fail2ban rule to add any IP to my firewall blocklist that makes a bunch of 499 entries.
Edit: I also set a rate limit in nginx for any url that has a “page” query included
I found the same IPs doing the same thing for my server, but one thing I noticed in the access log was that nginx was returning a 499 status code. That code means that the client closed the connection before the server answered the request. So this seems to be a deliberate attack instead of the rash of bots many have been dealing with recently. They just firehose out requests to DoS the server since pagination on services with dynamic data is expensive.
I ended up creating a fail2ban rule to add any IP to my firewall blocklist that makes a bunch of 499 entries.
Edit: I also set a rate limit in nginx for any url that has a “page” query included