An analysis of the source IP address networks might reveal more about the technique he's using. For example if they are all from one cloud provider, he could be rapidly allocating and deallocating IPv4 addresses from their pool, to attach to a VM to make the requests.

That said, probably it's multiple different techniques being used to make these requests, considering they are from such a huge number of different IP addresses. There's probably not one simple answer to this puzzle.