Block DDoS effectively

My sites experience intermittent DDoS attack for the past few months. But still facing difficulties due to several problems.

1.) Majority IP coming from google-proxy IP in range 64.233.172.0/23, where I suspect those android phone using Data Saver or Lite mode from the chrome browser. I used to block that IP range but it break my SEO as I realized they are part of Google bot also part of the IP when I allowed known-bot to my sites. Blocking individual IP seems impossible as phones might come from different google-proxy IP.

2.) Country block is impossible as most IP coming from the country where we served most.

3.) I tried Rate Limit to allow 3 request per minute to my site but only small amount of traffic get block.

I am out of idea to solve this issue. Any insight or suggestion are welcome.

AFAIK, the ip(s) that google uses for crawling and the ones they provide to the public should not be the same.
However, did you try UAM mode? If so, did you try to make it more strict by adding CAPTCHA to all visitors?
If none of these worked, the only “tip” that comes into my mind is to switch the ddos protection to a different provider that focuses on that field and ensures you an SLA, be aware that these solutions can be extremely costly.

Apparently those Google-Proxy IP not part of the Google Crawler/Bot IP, but somehow they get passed with known bot firewall rule.

If that’s the case you should open a ticket with support, let them know this is happening. It shouldn’t.

Meanwhile, you can try leaving the known-bot rule, and place another one under it with the following logic:

IF from IP range 64.233.172.0/23

AND NOT user agent in (list of Googlebot UAs you want to whitelist)

Then… Block/Challenge