I managed to smack down 90% of the bots by 403ing anything that makes a request to a specific endpoint without a referrer from the site itself. In normal cases the site should operate with them going to the root page / -> search -> then either to the timeline of an account or to a reply. This is a bit draconian in that it prevents people with a bookmark from just showing up to the timeline with_replies but I set up a 403 explaining why. I doubt the guy with the botnet is really investigating why his bots are getting 302'd to an error page, its just not getting data. Now its back down to the baseline bots again.