@Byte Not really, no, because the request arrives through HTTPS. I can't then pretend not to speak it.
I mean, the way they even discover a host exists is through certificate transparency logs. It would be weird not to support https then.
That, and a large part of the detection relies on the request arriving over HTTPS: the sec-fetch-mode header is not sent over plain HTTP, and that's a key indicator.
@Byte The solution here is to catch requests that hit a poisoned URL, and firewall the IP off for a week.
I still have to handle one request per IP, but that's ~10 less than otherwise, which helps keep the load down. They have a lot of addresses, but not infinite.
When I firewalled them off in early december, I ended up with ~400k IPv4 addresses and about 20k IPv6 addresses (collected over ~5 days), and virtually no bot traffic (~5 req/sec or so?).
@algernon I see. Does firewalling here mean serving them iocaine, or just regular blocking?
