I think my home connection is blocked but my mobile is not. Should I email you my IP or something?

YES -> see a few messages above.

I removed the firewall rule because the booby-trap seems to be working!!!
Flood almost completely stopped.

Julien

It only took *4 hours* to get the bobby-trap to stop the botnet!

I guess the MCP (Master Control Program) didn't like seeing all the compromised hosts crashing or not responding anymore after a reboot.

Idea was provided here: https://idiallo.com/blog/zipbomb-protection

If a bot is detected: don't serve the normal page or block it... but offer a 10MB gzip-compressed file filled of only zeros that decompresses to 10GB.

Small hosts like phones, IoT devices, internet boxes don't have that much memory and -- if there is no counter-measure to avoid crashes -- will try to extract 10GB of zeros to their own demise.

Only took 4 hours to stop the flood. Served over 45GB or this 10MB payload, that potentially decompressed for them into 45 petabytes of memory.

Either most of them crashed... or whoever controls the botnet decided that it was not worth wasting so many compromised hosts on us.

Hopefully I've been blacklisted as a target for now!

Julien

Scratch that.

I removed the protection and they came back a few hours later.

So... back in booby-trap mode for now.

Julien