Summary
Render logs from 2026-03-26 show automated scraping from a single IP (178.22.106.230) causing burst traffic patterns that likely triggered the autoscaler to scale up to 2 instances on March 25.
Evidence
- Spoofed user-agent: Claims Chrome 130 on Nexus 5 / Android 6.0 — a 2013 device on an unsupported OS. Almost certainly a bot.
- Burst pattern: ~13 requests in 10 seconds, then ~20+ requests in 2 minutes from the same IP.
- Autoscale event: Render scaled from 1 → 2 instances on March 25 at 3:39 PM, likely triggered by similar burst traffic.
- Additional scanner traffic observed from Censys (
CensysInspect/1.1) and two IPs with identical unusual user-agents (Firefox 120 on 32-bit Linux).
Impact
- Unnecessary autoscaling costs on Render Starter plan
- No actual performance or availability issue — response times remained 3-15ms
Suggested mitigations
Summary
Render logs from 2026-03-26 show automated scraping from a single IP (
178.22.106.230) causing burst traffic patterns that likely triggered the autoscaler to scale up to 2 instances on March 25.Evidence
CensysInspect/1.1) and two IPs with identical unusual user-agents (Firefox 120 on 32-bit Linux).Impact
Suggested mitigations