After the attack, what changes did you make to your setup or infrastructure? And any lessons or guidance on avoiding or blocking attacks?
To fight them, I use OpenResty (which doesn't seem to get much attention on HN). OpenResty is basically Nginx with Lua scripting capabilities. Before any HTTP request hits my (slow) backend, it goes through a set of hand written Lua rules where I check very basic things about the client and HTTP request like how many requests/second (or minute) the client is generating, does it have any authentication cookies set, what is the client's ASN, how many times has it hit this particular route, etc. If there is a red flag, I quickly render a page (in OpenResty/Lua -- which can easily handle thousands of requests per second) with a captcha on it. The client then submits the captcha, and the server side Lua code sets a signed cookie authenticating their session (so it is not blocked for future requests).
One gotcha I remember was having to take special care to handle POST parameters from the initial request but otherwise, it was fairly simple.
My "web application firewall" has some fancy things like hot-reloading rules, fetching ASN numbers from the IP, and checking for legit bots (with reverse DNS lookups). I like to imagine it as an early form of Cloudflare.
I should note that my "captcha" is actually just a static image (with the alt/title attribute as the correct response). The people who attack my sites never bother to customize their attack. If it becomes an issue, I'll have to use a real captcha, but for now, it works.
I feel like these people just hit random websites to test their DDoS capabilities.