With the way phpBB handles guest sessions for clients that would not accept cookies to store their session ID would be that it will be appended to the URI being requested: e.g.,
viewtopic.php?p=111&sid=e81d16e41aba3c52312fd20e3e49d4c5.Any well made spider will know to disregard the SID parameter, however these bots are so poorly written they do not do that. Combined with these agents using IP addresses from all over the world this ultimately results in whatever controller thread to treat each and every of those URIs as a unique page that needs to be scraped. This would ultimately cause a positive feedback loop where a bot comes to harvest what it thinks is a unique page, get a new SID as a session is spawned, call another thread to index that and so on.
I have disabled the message board appending SID to URLs being requested by guest as the main source of this. Additionally, as bots will keep coming back with those already baked in, I have deployed a temporary workaround where presense of session ID in the query string will trigger HTTP 404 as that was quicker to implement.
Please let me know if this causes any issues for your usage of the message board.