I'm having an issue where someone is using a VPN / proxy to hammer my server. They will pick on random URL from my website and perform ~20 requests per second to it.
Once I ban the IP address, a few minutes later a new IP address takes it's spot and hammers a different URL.
I'm trying to solve this issue with the following rule set, but it's now working. Could someone let me know what I'm doing wrong?
table <blacklist> persist
block quick from <blacklist>
pass in log on $EXT_IF proto tcp from any to any port 80 \
flags S/SA keep state \
(max-src-conn-rate 10/5, overload <blacklist> flush global)
