If your site is focused on the Russian Federation, and the bots are brought down from abroad, you can go under the free protection of cloudflare, prohibiting connections from outside the Russian Federation there.
Or give static html with/without the left metric counter, for visitors with a set of features pointing to a spammer.
PS I wonder if gzip bombs are still alive?

You can make a "laying" of lazy loading of all analytics counters.
If the URL was requested, but the "pad" was not requested 3-4 times, then the IP-shnik is banned by
Y=X^5
where X is the number of times the event triggered, and Y is the number of minutes of the ban.

I have projects on VPS and for similar smart people who try to guess passwords to admins (only when entering them) (url changed to non-standard ones) immediately banned by fail2ban for 5 years, about brute force again after, for example, 5 attempts with a server response 404 to the ban, I think this will especially help since the site is confidently sitting on its positions in Google, now I have more than 500 subnets in the ban from 128 ip to 16 millionth (China reassured) + every 3-4 days I try to view the server logs myself for the presence of left activity and the site by server responses other than 200
CF would not recommend using if the site is for the Russian Federation, since there are a lot of ip of them in a full ban, and it is not known which one the site will get, since it can be found out only after switching to CF, and if it is in the ban, then this is still time to return dns back, and it turns out not a bad time of an inaccessible site