Ddos http post/get

i have enable CF on my website https://jeffpronosports.com/ with JS captcha to avoid bot but i still have, bots making POST/Get on my website
See attached logs

How they can still flood while i have cloudflare enable with under attack mode enable

I also see, i have some IP displayed on my log file but not mentionned on the firewall?
For example is from GERMANY while i have ban ALL country EXEPCT FRANCE with (ip.geoip.country ne “FR”)
into firewall CF seetings…

JS isn’t CAPTCHA. If it’s “Under Attack” mode, then it’s a JS challenge. And it’s not perfect.

It looks like they’re targeting your contact and register pages. I’d turn off Under Attack mode and use a Firewall Rule so if URI Path contains register OR URI Path contains contact, then CAPTCHA Challenge.

Remember that it’s possible that attacker(s) can bypass Cloudflare and directly target by your server’s IP address. That’s why it’s always good to firewall off any requests that do not come from cloudflare.com/ips