Help! Attack? Repeated rapid CSRF token requests and gogs crashes

Hello, please help.

Recently my gogs installation has been crashing/exiting after a day or so of operation. I noticed that on restart with ‘gogs dev’ to see logs, the server immediately starts repeatedly outputing logs like

2020/11/01 14:05:54 [ WARN] Custom config "/home/git/go/bin/custom/conf/app.ini" not found. Ignore this warning if you're running for the first time

2020/11/01 14:05:54 [TRACE] Log mode: Console (Trace)
2020/11/01 14:05:54 [ INFO] Gogs 0.13.0+dev
2020/11/01 14:05:54 [TRACE] Work directory: /home/git/go/bin
2020/11/01 14:05:54 [TRACE] Custom path: /home/git/go/bin/custom
2020/11/01 14:05:54 [TRACE] Custom config: /home/git/go/bin/custom/conf/app.ini
2020/11/01 14:05:54 [TRACE] Log path: /home/git/go/bin/log
2020/11/01 14:05:54 [TRACE] Build time:
2020/11/01 14:05:54 [TRACE] Build commit:
2020/11/01 14:05:54 [ INFO] Run mode: Development
2020/11/01 14:05:55 [ INFO] Listen on http://0.0.0.0:3000
2020/11/01 14:05:58 [TRACE] Session ID: 3e75a9d0c7ce94d5
2020/11/01 14:05:58 [TRACE] CSRF Token: Mnmgz13lfpqgG1j5H48sltyFGEc6MTYwNDI2ODM1ODAyNDk0ODk1Mg
2020/11/01 14:05:58 [TRACE] Session ID: 1c64b4d49469da13
2020/11/01 14:05:58 [TRACE] CSRF Token: iUM9pyI0SlWtMsp2KmesSHJOB6g6MTYwNDI2ODM1ODI5ODcwNzU5Nw
2020/11/01 14:05:58 [TRACE] Session ID: 5fd7019cf5c43d2a
2020/11/01 14:05:58 [TRACE] CSRF Token: H7pEueD3vJICNP-HB_VkunTTk046MTYwNDI2ODM1ODk5NTA4MTA1Ng
2020/11/01 14:05:59 [TRACE] Session ID: 01324a8f2e7fdd65
2020/11/01 14:05:59 [TRACE] CSRF Token: 8n4snKW6Kl-p_GHLvuH0_1KJ7Ik6MTYwNDI2ODM1OTAxODE5OTgxNQ
2020/11/01 14:05:59 [TRACE] Session ID: b1f7ae8348aa1db0
2020/11/01 14:05:59 [TRACE] CSRF Token: jlpboTMmNjBYNrBV0FCdQGmJDSY6MTYwNDI2ODM1OTMzODQ1NzI2MA
2020/11/01 14:06:00 [TRACE] Session ID: efe6a6cfc331f354
2020/11/01 14:06:00 [TRACE] CSRF Token: BSotbatqSGfu8oQTIvlLSLA_WAg6MTYwNDI2ODM2MDIwNjUyNjQ5OQ
2020/11/01 14:06:00 [TRACE] Session ID: f5967efc5109b934
2020/11/01 14:06:00 [TRACE] CSRF Token: VPQ3hV6qDb1tv9ew55JJMXlVQLM6MTYwNDI2ODM2/home/git/gogs.log

forever.

System: Funtoo Linux x64, go1.14, Gogs version 0.13.0+dev (first noticed with version 0.12)

Am I under some sort of attack? Gogs was super-stable for me over the last 1.5 years until about a month ago. I have not upgraded my Linux or go system recently.

Thank you,
-Russ

Update: I think I see what’s going on. A whole bunch of hostile hosts from China IPs are apparently trying to mirror all of my hosted repositories! My apache2 server is immediately maxed out for workers by these GET requests which are proxied through to gogs.

Any ideas on how to blacklist or block heavy activity to gogs based on bandwidth or requests per second?

For now, I’m trying to use ipset to blacklist all the IPs and ride this out… see