It's just one IP hammering the Mastodon API. But this has never happened before so I didn't configure rate limits. It was easy to fix.
The blue spikes on the right are 429 errors after applying rate limits.
Discussion
Are layer 7 attacks possible? I assume so, but idk the codebase. Just curious if you can horizontally scale away that problem.