For the last 1-2 weeks we had a lot of attacks against our forum urls, making them slow (17-30 ms per page).
With the help of @maximus the issue was totally resolved.
The issue came from tremendous hits from ColoCrossing Proxies (and a few others), trying to login/register, targetting a specific forum topic. Not sure how and why this happened.
Those are the offending IP ranges from ColoCrossing:
CIDR -- Starting IP - Ending IP
135.181.0.0/16 | 135.181.0.0 | 135.181.255.255 |
23.94.0.0/15 | 23.94.0.0 | 23.95.255.255 | |
192.3.0.0/16 | 192.3.0.0 | 192.3.255.255 | |
107.172.0.0/14 | 107.172.0.0 | 107.175.255.255 | |
198.46.128.0/17 | 198.46.128.0 | 198.46.255.255 | |
198.144.176.0/20 | 198.144.176.0 | 198.144.191.255 | |
172.245.0.0/16 | 172.245.0.0 | 172.245.255.255 | |
192.210.128.0/17 | 192.210.128.0 | 192.210.255.255 | |
198.12.64.0/18 | 198.12.64.0 | 198.12.127.255 | |
104.168.0.0/17 | 104.168.0.0 | 104.168.127.255 | |
192.227.128.0/17 | 192.227.128.0 | 192.227.255.255 | |
45.66.230.0/24 | 45.66.230.0 | 45.66.230.255 | |
198.23.168.0/22 | 198.23.168.0 | 198.23.171.255 | |
199.188.102.0/24 | 199.188.102.0 | 199.188.102.255 |
198.23.214.0/24 | 198.23.214.0 | 198.23.214.255 |
23.229.104.0/23 | 23.229.104.0 | 23.229.105.255 |
I can tell you how this happened, since all hits were at the same forum url. Someone bookmarked that topic and posted it in some SEO crap companies.
That proxy attack is not only from ColoCrossing. Just finished checking your logs and it is 80% from Colocrossing but also from LeaseWeb, Host Royal, Inter Connects, IPXO and a few others.
All of them host whatever it comes along and their ASNs must be totally blocked. Along with some legitimate users, since this is the only way to reduce their business income.
We have "laws" for GDPR and Cookies but real CRIMINALS are free to attack the whole Internet.