I’m able to block the bot by IP and so far it worked.
The user-agent used was a “legit” Mozilla browser user agent.
“Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0”
so it does a decent job as trying to look like a legit request.
The bot hit our images page, following an URL pattern /image/id
after we block his IP, since few hours now, he changed his behavior and tried to hit our image CDN directly using a python user agent… But still using the same ip and the CDN is also behing cloudflare so he is sill blocked.
However since it look like the bot is custom and target specifically our website I think it’s a matter of time before the hacker use a serverless architecture.
I’ve looked into the rate limiting and I think it will be the solution if it comes to that…
Do you know if we can limit that feature to a specific url pattern?
Thanks again @dmz for your help and advices.