If I had to guess after managing enterprise WAF across hundreds of domains…

It’s either a crowler or vulnerability scanner, and may be scanning by IP address. I don’t think you configured anything wrong.

You may want to add some form of captcha or user agent based filter to get rid of it. Good news is that it’s not necessarily something to worry about.

I’d avoid IP based blocking. It’s only temporarily effective.

I see 803 forks currently, keep up the good work!