Recently I've been getting an increased volume of cracker visits from "SpaceX Services" CIDRs to my VPS.
And, yes, 98.97.0.0/17 is one I now have blocked in my pf.

If you can do so without impairing your site security: How did it get flagged as a bot? I find the occasional visit from this range in logs, and most appear to be fully human.

I've seen bot activity from SpaceX IP's for more than a year. Not a lot, somewhere between once a week and once a month.

Lucy,
I have a hidden link on a page that has a NOINDEX meta tag on it. Humans can see the page just fine, but in the footer there's a hidden link a follow that bots inevitably follow.

I had an interesting sequence of hits today involving a starlink IP.

At 9:12:15 a request for my site's contact page comes from 129.222.158.156. This request comes in on port 80 (so it's HTTP). Anything that comes in on port 80 gets a 301 response code with a redirection to HTTPS. The UA is Go-http-client/1.1. This is a starlink IP, judging by the host name it looks like Minneapolis MN. Do I next see a hit from that same IP, using HTTPS, asking for my contact page? No.

At 9:12:16 a request comes in, on port 443 (so HTTPS) but this time the IP is 74.12.138.225. The UA is also Go-http-client/1.1. On my HTTPS server this triggers my robot-response (URL re-write). It gets the "I think you're a robot" html file, not the file it's asking for.

At 9:12:17, another request comes in on HTTP, from 107.171.144.62, again asking for my contact page. Same thing - it gets a 301 redirect. UA is again Go-http-client/1.1.

At 9:12:19, a request comes in on HTTPS from 64.180.168.123, UA is Go-http-client/1.1, it gets "you're a bot" page.

At 9:12:20, same thing. HTTP request for contact page from 198.52.56.194, response code 301. UA is still Go client.

At 9:12:21 this pattern ends, an HTTPS request from 24.78.46.128 results in the robot-page response, UA is still Go client.

Spur identifies all the IP's involved as being proxies. But get this - the starlink IP is associated with 14 different proxies! One is ID'd as malware, another as Data-Center, the rest as residential. All the other IP's are associated with between 1 and 3 proxy networks.

Quite the coordination going on here to try to access a particular page on my site. But from whom, and why?

Inquiring minds want to know: why does Go-http-client get anything other than a resounding 403?!

<tangent>
It's been a while since I saw a really distinctive botnet pattern, but over the last few days I’ve been seeing this, all on HTTPS:

--request for / root, redirected (meaning they got the www wrong)
--request for / root, same IP and UA
--request for some random interior page, same IP and UA, giving / as referer (which generally gets them a 403)
and then
one or two further requests for that same interior page from a different IP--generally some colo or other, but not all the same company--and different humanoid UA, now with some random outside referer--some of which yield an automatic 403, mwa ha. If more than one, the IP/UA/referer are different each time.

I took a closer look at headers and found a means to block them all, so from here on they will be out of sight out of mind. But I am always interested in botnet patterns.
</tangent>