Tinkerisk:

 

@freitasm What surprises me is why they started up so suddenly. Can you tell if this is happening in a coordinated way?

 

I first noticed this behaviour about six months ago. Initially, as a wave of requests from Asia, mainly Hong Kong, Vietnam and Singapore. When I put in captchas for Asia only, the traffic moved from there to South America, including Chile, Brazil and Argentina. And when I put barriers to these accesses, it moved to New Zealand. I put some captchas back then, and when the traffic disappeared, I removed them.

This happened twice since then, with the last wave coming last week.

The requests are mainly for specific pages, repeatedly, from hundreds or thousands of different IP addresses, but concentrated in a few residential ISPs. The pages are always the same, about ten different ones, so it's not like a bot crawling the site to scrape content. It's purely an attempt to overload, like a DDoS. 

The initial volume did not cause problems until that big spike in the chart. 

It looks orchestrated in nature, and it could well be trying to hide smaller malicious traffic in the middle of the thousands of requests. 

Because it happens from consumer ISPs and with such a variety of IPs, I think this is using a botnet made of devices, as described before. The cost per compromised IP in Asia is a lot cheaper than in South America, and many times cheaper than in New Zealand, so it follows the logic of moving the source region when I put barriers.

I won't disclose what other measures we have in place, but I'm well aware that while our site is not high value, having user accounts means bad actors can always try to use our login to validate leaked authentication data from other sites, or try to exfiltrate data, hoping some people use the same password in other places.