5 seconds javascript challenge


#1

Hi, can this be a problem for “Under attack mode”?


#2

Not sure what that picture shows. What do you mean by “can this be a problem”?


#3

obviously, someone is trying to bypass this 5 seconds security thing…


#4

i got this screen from my friend, who knows guy who attacked my site yesterday and he send him this screen that he’s working on bypassing this.


#5

Appears to use https://www.npmjs.com/package/cloudscraper which evaluates the challenge in a JavaScript VM and manages to bypass the check in that way.


#6

I am aware of that, that bothers me because i’m not sure now if cloudflare has something to prevent bypassing this 5 second javascript challenge… :confused:


#7

In general the script still has to wait 5 seconds, so unless they have a large amount of hosts, it won’t be as effective of a DDOS attack. Getting such a volume of computers to do this (mind you, this is a Node script that needs dependencies and setup) would require a large botnet or renting servers from cloud providers, both of which are hard to do without being caught.

If you do end up seeing your site taken down due to this, instead you should try a Firewall rule setting security to “challenge” (captcha).


#8

what do you mena by trying Firewall rule setting? More details? I would be gratefull


#9

See

You can define firewall rules with an if-then-and code-style and then have requests blocked, challenged (Captcha) JS challenged, or allowed.


#10

hm, i’ll read that as soon as i’m back home. Thanks!