I have an attacker who is keeps calling same links from different cities from many countries at the same time simulating call from mobile browser and unfortunately when I turn on the “I’am under attack” it does not do anything, it does not block these attacks. The only thing works is the firewall rule with challenging reChaptcha. So basically I think the JS challenge system does not work as supposed and useless in my case.
I see google has the invisible reCaptcha V2 which does not require user interaction, and newly google have reCaptcha V3 which is also invisible which I’d suggest Cloudflare to start implementing it to customers instead of the JS challenge one.
If currently anyone has a solution/suggestion to my issue until Cloudflare implement a practical secure system using reCAPTCHA v3 to block attackers, please let me know how to solve my problem. I am currently creating a firewall rule for the whole countries and using reCaptcha challenge which makes most legitimate users do not visit the website