This is probably just a bot trying to scrape for any vulnerabilities.

You can usually prevent this by using Cloudflare as your DNS provider, then enabling their security features such as bot fight mode and browser integrity checks.

cloudflare is being really slow to catch ddos and bots

I use it and activated everything, it took 800 requests in a second from the same source, it was disabled by railway by max memory usage, but cloudflare didnt stop it

Is your service an API or website? for website, you could enable the "I'm under attack" mode from Cloudflare and that will basically show a captcha to everyone before acessing your website.

website, is there a way to automatically switch that? my usage is being spent only on those bots, but didnt want to add this captcha

Cloudflare does not offer an automatic option afaik

but you can always leave it enabled https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/ or filter by specific patterns (like the .zip path you're experiencing).

You can create a custom security rule to block all requests that try to hit the *.zip route in Cloudflare domain security rules.

https://developers.cloudflare.com/waf/custom-rules/create-dashboard

added both wordpress and zip paths to, I really appreciate the time to help me out @pepper and @ThallesComH

any plans for railway to support some kind of protection from within the dashboard?

No plans that I know of for a built-in DDoS protection, even Railway employees recommends using Cloudflare for now.

Also, I still would recommend activating the "I'm under attack" mode as those bots will come back at some point with a newer way of bypassing your simple firewall rule. Rule of thumb is, activate it when under attack and deactivate when the script kiddies get bored. If pattern is simple enough, then proceed with WAF rule like pepper suggested.

Also, I don't know how your website works but "I'm under attack" might cause some issues, here's a cool video by Jeff Geerling on how he handled it: . Might be useful to you.

just finished watching the video, thanks for the recommendation, I'm adding some monitoring tools to help me understand those attacks better

btw, this was since yesterday, I didnt even publish the website url publicly yet

Yeah, those people are peak unemployment unfortunately <:kekw:788259314607325204>