We are hit by hundreds of requests every minute to URLs that do not exist, for example:
domain.com/c.php
domain.com/conn.php
etc.
The requests come from a wide list of IP addresses and countries, so there is no easy way to blacklist them. The only option that we didn’t try is WAF that requiries a PRO account. Can we be guaranteed that these basic attacks will be blocked by WAF? If not, what would you suggest to defend such attacks?