Have you blocked the user agent and the IPs from entering your site yet ?

If you are on a shared server, have you contacted your host to block the IPs in the firewall ?

I have my own servers co-located at a datacenter. I've blocked the user agent at the server level, and after blocking a a few thousand IP's I gave up. Fortunately at this point all I need to do is block the user agent. Can't imagine what it's doing to my bandwidth, though. The datacenter IT guys don't know anything about attacks (they normally only handle medical billing apps.)

Normally I serve a bogus page to the blocked bots, so they don't realized they are blocked. I'm wondering if I'm doing the wrong thing this time, though.

Would 200-300 hits per second qualify as a DDoS, or would you think it's more likely a scraper attack? The same URL's are hit more than once, but since I blocked the attack I can't count the number of hits except when I temporarily unblock them.

Normally I serve a bogus page to the blocked bots, so they don't realized they are blocked.

This is of course my personal view and certainly not meant as a guideline, but if the bot is blocked I do let them know, either they get the door slammed in their face or the worst offenders are redirected to their own home. Again, personally, I have no patience with anything that comes around without bringing any benefit to my sites. Only good bots and human visitors are more than welcome ;o)

I have never been scraped so I don't know if this is a DDos attack or scrapers but the number of pages fetched seems to be mighty high and again, in my view, worthy of drastic measures. .

Serve the smallest "page" possible, and there will be little impact on your bandwidth. You can toy with them, and send "Error 500 Internal Server Error" if you want. There's a whole range of HTTP status codes available. Pick one.

dataguy, when it happened to me (one person but dozens a second) I changed the /home/www to /home/www0 until I could telnet to block it via IPtables. Maybe giving a 404 would be best, since your site is dead anyway

Three weeks later, and the attack continues at the same rate. I've taken the above advice and I'm serving a tiny page with a 404 header. Really, I doubt that anyone on my site notices that it's going on, I'm the only customer my co-location host has, so I have a ton of bandwidth available, I think that helps.

I've heard back from 1 of the 3 ISP's, and that one response was a form letter asking for my server logs, which I had already sent them. I don't understand how an ISP can let this type of thing go on through their own network, I guess it's in the name of 'customer service' that they don't block the bots.