I am still not seeing anything out of the ordinary. So either they are hitting specific IPs / Nodes or my SonicWall is blocking them for some reason.
I do have the sonic configured to block botnets, so if the connections are coming from known bad IPs they might never make it in. But other then that I have no idea.
This could actually be a good feature to implement in Bitcoin Core, no? Botnet detection and blocking. Without hooking up to any third-party software or API, you could make Core read a certain file that has a blocked subnet on each line, nodes discovered in those subnets won't even be added to the bucket or queried for additional peers, which can thwart an attack like this.
To supply the actual IPs themselves you could change Core to record invalid IP address/port combos in the file and advertise a ZMQ message for peers to retrieve your "peer ignore list" so they can update their files too. In this way, the entire network becomes resilient to this kind of attack (the nodes that upgrade, at least).