A new proxy is in place, but the backend can't tell which requests have passed through it.
All requests include the f5-proxy: challenge header.
After a login page migration, old bookmarks and cached links still point to the old login path, returning 404s.
Requests to /old/login are redirected to /login.
A known bad actor has been hammering the app using a recognizable client signature.
Requests with the user-agent badactor are blocked.
Every few minutes, the app gets flooded with a sudden wave of requests that the backend can't keep up with.
Requests are limited to less than 10 per second.
Someone is probing the application with crafted inputs designed to manipulate the database.
Malicious requests are blocked.
A bot targeting the login page is mimicking a real browser using a correct user-agent and normal-looking headers.
Sophisticated bots are blocked from making POST requests to /login.