Blocked user can retry from same ip. Spoofed?

I have FluenthAuth 1.0.7.

Yesterday my server was under attack. There were 2949 blocked login attempts in about two hours.
Now here is the strange thing. They all reportedly came from the same ip.
I have a login try limit of 3 per ip activated with an unblock time of 30 minutes.

How is it possible that this still happens? There must be some ip-spoofing going on since the site is behind a reverse proxy with an ip allow list which was also fooled.
Here is a line from the log:

blocked696969!

web

87.247.158.120

windows / Chrome

18 hours ago

Description

Blocked by Fluent Auth

User Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

The attack was not successful, there was no good login. Any ideas welcome.

• This topic was modified 4 months, 4 weeks ago by paulbnl.
• This topic was modified 4 months, 4 weeks ago by paulbnl.