Even after limiting the POST requests to the short response, the server's throughput was still being flooded. I changed the server's firewall and prohibited the connections of any kind from 15 countries, including China, India, and Russia; I'll probably change this back before too long, as I'm sure there are some legitimate visitors from those countries, right?

The traffic has dropped to around 4KB/s, which while a lot less than the 400KB/s before, is still crazy. This time, though, it's just the Western world. The random selection of IPs from the log have switched now to the US, UK, France, Canada, and other European countries. Unless I want to drop off of the Internet, I can't block them, too.

I've since  changed the GET requests on the virtual server to return a similarly short "maintenance" page, which has helped reduce the traffic, but still results in tens of hits per second. I've also changed the Apache config to only allow a very small number of requests per connection, with a very small time-out, in hopes that the latency in establishing the connection (especially from Europe) might provide some network relief.

Looking at the count of IP addresses involved, there's still like 10,000 uniqe addresses in the last couple days. Seems each makes an average of about 30 requests to get the 300K hits so far this month. I suppose I could block each of the ones hitting the POST; it doesn't seem any of them are using the site legitimately.

I'm not sure what to do next, other than possibly divert the traffic to a different server. That won't make it stop, but at least it would reduce the impact on the other sites the server hosts, and free network and other resources for the other things it needs to do.

But, man, there sure are a lot of bots out there!