DDos my site even with CF "I'm under attack mode"

You can create a Firewall Rule that will impose a Captcha to everyone. Ideally, you should exclude “good bots” to avoid SEO penalties (I’m Under Attack will do it automatically, but if you create a Firewall Rule, you must be explicit about it.)


You can always replace the string I created with some other random string. You can tinker with this rule. After you’ve enabled it, you will see under Firewall > Events more details about who’s promoting this attack. Then you may create a more refined rule. For instance, if most attacking bots come from, say, Germany and China, you may restrict the Captcha to visitors from these countries. Or you can create specific rules for User Agents and IP addresses.

Also, you should go to Firewall > Settings and set a generous time for the time it will take for a Captcha to be shown again for your legit users, otherwise they may just give up on your website.EDIT: Also, if you enable this rule, don’t forget to turn off I’m Under Attack Mode. Your visitors will appreciate it.