Hi,
Lately I get a really high number of HTTP(s) requests from compromised GCP IPs. They mostly come from 34.0.0.0/8 but they have more ranges also IPv6 ranges. These are available at https://www.gstatic.com/ipranges/cloud.json
What would be the most efficient way to monitor HTTP logs for any request and if the number of requests exceed 20/min OR make 3/min bad requests (403, 404) and coming from GCP IP ranges, block the IP in question?
Or what other solution would be the best in terms of using Crowdsec? I have many scenarios monitoring HTTP but none of them matches the behaviour of these bots. These are like crawlers, using legit-looking UAs (not Google bot).
Currently I get the json, process it with jq then block every single IP range in firewall but that does not seem right because there could be legit traffic that is being blocked.