[embedding-shape]

2 unique IPs or 200,000 shouldn't make a difference, ban the ones that make too many requests automatically and you basically don't have to do anything.

Are people not using fail2ban and similar at all anymore? Used to be standard practice until I guess before people started using PaaS instead and "running web applications" became a different role than "developing web applications".

[nijave]

It makes a difference if there's 143,000 unique IPs and 286,000 requests. I think that's what the parent post is saying (lots of requests but also not very many per IP since there's also lots of IPs)

Even harder with IPv6 considering things like privacy extensions where the IPs intentionally and automatically rotate

[kstrauser]

Yes, this is correct. I’d get at most 2 hits from an IP, spaced minutes apart.

I went as far as blocking every AS that fetched a tripwire URL, but ended up blocking a huge chunk of the Internet, to the point that I asked myself whether it’d be easier to allowlist IPs, which is a horrid way to run a website.

But I did block IPv6 addresses as /48 networks, figuring that was a reasonable prefixlen for an individual attacker.