Yeah its a botnet. Check the ip range. So many people within the same IP range is no circumstance, but rather a targeted attack.
I can talk books about this. Its happening currently to a lot of ecommerce sites too.
I am using https://github.com/mitchellkrogza/nginx ... ot-blocker
- this is my golden trick.
“The Ultimate Nginx Bad Bot, User-Agent, Spam Referrer Blocker, Adware, Malware and Ransomware Blocker, Clickjacking Blocker, Click Re-Directing Blocker, SEO Companies and Bad IP Blocker with Anti DDOS System, Nginx Rate Limiting and Wordpress Theme Detector Blocking. Stop and Block all kinds of bad internet traffic even Fake Googlebots from ever reaching your web sites.”
Its a dynamic, automatically updating user-agent tracker and bad-ip-tracker. Its production ready.
The blacklist is very nice, no false-positives. The list updates automatically every 5 minutes.
You can then use this blacklist to prevent the botnet to actually connecting to your webserver at all (e.g. fail2ban the ips and ban the user-agents prio connecting to your webserver), this is the only way to prevent they actually use up your ressources.
There is an apache modul doing the same also available.
Fighting botnets you can only do correctly with good threat intelligence lists, since the ips and users-agents may change very quickly, dynamically. So static protections like GeoIP or fixed user-agent strings will not last very long, until the next change. So you need to fight this with an automatic system too.
Doing this for hobby, no expert