A question about rate limiting

I know 10k cost 0.05 but if 10 ips attack my site (I have rule to block any ip has more than 3 requests during 10 seconds) why the same ip still send requests and cloudflare count its requests in rate limiting ?
so if the same ip send 1000 000 request so how much it will cost me? what about my rule to block it for one hour?!!
please someone explain to me

Hi @mawuood

Only good requests are billed (that are accepted under your rate limit rules).
Bad requests (blocked by the rate limiting) are not.

There is a more thorough explanation on this page:

first thank you for your reply. do you mean only the first 3 request which match the rule will be counted?
let me explain to you. Each time they attack my site only 12 ips send a round 6M. so I block them direcly after rate limiting catch them. so my question is how it will be counted and how much it will cost me? thanks in advance

Let’s say you have 12 IPs who attack you.

I set up the following rate limiting, for example:

This means that for each IP, they would be, in the above case, be able to send 10 requests per 60 seconds (that are billed - but still free if your total number of good rate limited queries are under 10000, after you would pay as per my link above).

But from the moment they decide to go over the limit I have above, they will get blocked, and here, even if they send 5 or 10 million queries, they will not be billed since they are considered “bad requests”.

So you would be only billed of 12*10 good queries (120).

thanks again. If any ip blocked by rate limit it will not cost me. good news. but the normal visitor (my site traffic) will be counting as good requests ? so I will pay for them?

Yes, the normal visitors will be billed since they are “good requests”

That’s why in general it is best to restrict rate limiting to critical functions (ex: Reset password page/API call, Login page/API call, etc) and leave the remaining of the work to the Cloudflare Bot Management (Security Level + Bot Fight Mode + Browser Integrity Check enabled)