Yes, the site was "proxied" by Cloudflare in "under attack" mode at first, then with some specific rules to fine‑tune it a bit.
But the client didn’t want it anymore because they were convinced of a loss of revenue (I don’t know if that’s true).
So, a "big" server + Nginx reverse proxy with adapted configuration + nftables with a fairly massive DROP.
I'd never seen that, I'm still facing someone who's very motivated.
Very motivated, well a stresser can be found in 5 minutes on the Yandex engine which even gives you a free 300‑second attack. Then you set up a click program that repeats the stresser's DDoS attack in a loop and let your PC run while drinking a Coke.
After many offline stressers with the FBI's Poweroff operations in collaboration with several European countries, but they all respawn a few weeks later. The first question to ask is, couldn't we block access from certain countries with a firewall rule? It's true we always want our site to be accessible to everyone, but realistically what revenue does it make with Bangladesh for example? We should think about it; I've worked for Belgian clients whose sites are only accessible from Belgium because they're in the healthcare sector and they have no interest in opening the doors to every country in the world.
I don't know your client, but it smells like competition; it's a sensitive sector. If he gets hit regularly, it's because he's being targeted.
Very motivated, finally a stresser you can find in 5 minutes on the Yandex engine that even offers a free 300‑second attack. Then you set up a click program that repeats the stresser’s DDoS attack in a loop and let your PC run while drinking a Coke.
Very interesting, I never take the time to put myself "on the other side", I only defend.
So for you this kind of attack that uses millions of IPs (I’ve identified at least 5 million residential IPs) and has been running for a year really costs zero €?
For the geo‑ban and AS ban, yes it’s done (I gave the details, by the way).
For my part, I have a site with custom PHP code that uses as few PHP requests as possible. A shared hosting with the old offer similar to "Performance": the "Cloud Web 1".
I have an .htaccess that blocks certain bots: https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/blob/master/_htaccess_versions/htaccess-mod_rewrite.txt
Then, PHP kicks in, a first include with a custom script to block fake Facebook crawls: https://www.c2script.com/scripts/bloquer-les-faux-partages-facebook-venant-de-facebookexternalhit-s66.html
On certain pages with information updated several times a day (these are the most attacked pages) I have a special include that blocks certain IPs, such as Alibaba for example, starting with 47.82. and 47.79, (before the database include, always to save SQL resources and use the "unlimited traffic" as mentioned on all shared offers).
I also have a script that is called by Apache (.htaccess) if a 404 error occurs to block all non‑existent pages crawled nonstop by bots looking for vulnerabilities/info, an example of the code:
//404 pages, without SQL to save resources
//bots looking for files / annoying bots
$substr = [
//files that no longer exist
'/images/ancienneimage.jpg',
...
//folders to ignore
'/1.',
'/404error_test',
'/.',
'/-',
'/_',
'/__',
'/wp',
'/v1/',
'/v2/',
'/v3/',
...
'/a/',
'/about',
'/access.log',
'/account',
'//',
'/%',
'/\'',
'/*',
...
];
foreach($substr as $sub){
if(substr(strtolower($_SERVER['REQUEST_URI']), 0, mb_strlen($sub)) == strtolower($sub)){
http_response_code(410);
exit;
}
}
There you go, I've always done it this way, using JSON files for blog posts and other data because shared hosting always advertised "unlimited traffic", so I stick with it (resource saving, of course 
). I still want to move to a VPS in the future for my use (a site accessible worldwide, translated into multiple languages and with new info every day, every hour + the mobile app that pulls the same information as the site).
It can, yes, if you combine multiple online stressers that offer free attacks, but even if they pay, the plans aren’t costly for launching DDoS attacks. Sensitive sites like that should be hosted with a competitor that starts with G, for example (with a server in Europe). Their DDoS protection is ten times more effective than ours. If you prefer to stay with OVH, you’ll need Cloudflare.
Everything related to weapons is highly political: if a country at war with another knows you’re selling to them, you’ll make enemies for free, even though in the end you’re just a simple reseller.