For weeks now this site has been bombarded with bots and maxing out my server. The pattern seems to be single requests each from different IP addresses, so I can’t block by ip, and it probably doesn’t look like a flood attack by some measures. User agents look normal. To start with they seemed to be coming from China so I blocked China and now they’re coming from all over, including UK where my customers are. Currently on pro plan. Block AI bots and JavaScript Detections switched on. What more can I do?
Ensure that your origin only allows Cloudflare IP addresses so all requests must come through Cloudflare and can’t come direct to your origin.
As you have a Pro plan, Super Bot Fight mode can be enabled and configured to help deal with the bots.
You can also start by using Under Attack Mode to challenge all requests to your site. This may have some side effects on real visitors so just use that to keep your site up while you look to configure settings to block as many as possible using custom WAF rules.