Codeberg has been under DDOS attacks for most of 2025, someone out there has it in for them and has been attacking relentlessly. The volunteer team has been very transparent posting about in social media and their blogs.
I think that even with someone having it out for them, the unfortunate reality of running a web service in 2025 is you have to be prepared to handle this and going down for hours at a time isn’t handling it.
Define legitimate clients. I'd guess that a good number of their "clients" are AI scrapers.