Block LoadImpact from DDOS'ing tile.openstreetmap.org

[Firefishy]

Yesterday (11/March/2019) one of our caches was effectively Denial of Service attacked by LoadImpact.com when a 3rd party used LoadImpacts service against tile.openstreetmap.org

User-Agent: "LoadImpactRload/3.2.0 (Load Impact; http://loadimpact.com);"

However starting at 11:07:50, two hosts were responsible for a rather abnormal number of flows:
* 52.56.94.104 - 37,121 flows in 125 seconds starting 11:07:50, 101,294 flows in 213 seconds starting 11:09:50.
* 18.130.125.174 - 24,325 flows in 125 seconds starting 11:07:50, 87,360 flows in 276 seconds starting 11:08:47

Loadimpact does not honour the robots.txt exclusion already on the site: https://tile.openstreetmap.org/robots.txt

[tomhughes]

Go for it - they're in breach of the policy anyway as they are effectively acting as a library but not identifying the real end user.

[Firefishy]

For clarity for others reading this ticket: The most likely scenario is a customer of Load Impact used Load Impact's Browser session recorder, the site being recorded was using map tiles from tile.openstreetmap.org. The recorded session was then re-played using the load impact service with 1000s of users causing a massive traffic spike.

[Firefishy]

LoadImpact have added some of our services to an exclusion list. LoadImpact clients will no longer be able to (accidentally) target us.