Difference between Under Attack Mode & JS Challenge?

Can someone explain to me the difference between Under Attack Mode and JS Challenge?

Is JS Challenge just one thing that happens while in under attack mode?

It essentially is. If you create a firewall rule for /* and apply a JavaScript challenge you basically re-created IUA.

@sandro there seems to be a difference between Under Attack Mode and JS Challenge…

I run a chat site plagued with bots. When I turn on UAM the user count drops a bit to 1500+ and there is no bot activity. But when I tell Cloudflare to JS challenge everyone except known bots, the user count drops to 800 and I get reports from genuine users who are blocked.

Can someone help me out with why this would be or a suggestion as what to do. The reason why I don’t just leave UAM on is because it would affect some good bots that are not accounted for by Cloudflare’s Known Bots filter and I fear what would happen to my google search results. So I want to run UAM but only on the chat which is on a subdomain.

Ehm, of course genuine users will be blocked (actually challenged) as that is what you configured.

What is unclear in this case?

In under attack mode everyone is challenged - bots are blocked and real users are allowed in

in js challenge everyone is challenged - bots are blocked and many real users are blocked.

It seems as though Under Attack Mode is more effective at filtering out bots from real people but I can’t run under attack mode on only a subdomain.

You need to clarify what you mean by “blocked”. Real users should never be blocked as the JavaScript challenge (also as part of IUA) will always execute on a real client and hence the client should pass.

If you have IUA disabled but the JavaScript challenge applied, it shouldnt be any different and real users should still be able to pass.

I’m sorry what is “IUA”

I am Under Attack

By blocked I mean they go to the site and get an error. These are real people as several of them have been moderating my chat for years. I have to add them to a whitelist for them to regain access. They have no problem connecting when IUA is on but the site does not load for them when JSC is operating.

What error? The JavaScript challenge never displays an error.

Can you post a screenshot and the URL in question?


That is not really the URL in question :wink: and is completely unrelated to IUA or any challenge. Thats a network issue.

The site in question is NSFW it’s 321sexchat.com. the chat is located at nchat.321sexchat.com. The attached image is a screenshot is what was displayed to one of the chatters when they attempted to connect to the chat room. They were able to connect while IUA was on but not when the JS Challenge was on for the nchat.321sexchat.com sub domain. This was not a temporary thing, they were only able to connect again once I turned off JS Challenge.

That should not be the case. The error you posted is a network issue and not related to any of the aforementioned. Is there a way to reproduce that?

Are you using anything web socket related? That might be influenced by a challenge but, if it is, that should be an issue in either case, IUA and a regular challenge.

It’s the second time I have done this where I went from IUA where 1500 chatters were online and then when I turned on JS challenge half that number just moments later.

Whitelisting them gets them in as well so they are blocked not just some network issue.

The screenshot you posted is not a block, let alone a challenge. It is a straightforward network issue. If you cant make it reproducible it is impossible to say more about it, but that is unlikely to be related to firewall rules.

I will try to reproduce with someone I know was blocked and not rely on user submitted photos

I went in the chat and asked people to take screenshots when they get locked out.
I shut off Under Attack Mode
I turned on (not cf.client.bot and cf.threat_score le 13 and http.host eq “nchat.321sexchat.com”)

User count went from 1500 to 500 after a few minutes.

I shut the firewall rule off and turned under attack mode back on.

I had about 5 people send me screenshots all which match what I posted before "nchat.321sexchat.com refused to connect.

Any ideas why?

It’s now reproduced, 3 times over. What now?