Firewall Rules [GET]

I have set up fire wall rules to protect my forum, they work great to stop the frequent DDoS that we get.

The main problem i have now is, if i set up the rule to use JS Challenge, the DDoS seems to bypass this and our homepage is flooded with GET requests.

If i switch the rule to use a Captcha instead, then our server logs go back to normal and the DDoS is blocked by cloudflare.

My question is, is there any way to stop the DDoS without genuine users having to use captcha everytime they stop by the site?

I tried using “threat level” scores but that seems to be ineffective.

thanks in advance to anyone who was able to help me!

You need to find a pattern in these attacks (IP addresses, ranges, user agents, etc.) and block that instead. The firewall log on Cloudflare might help you with that, respectively the best source might be your own server log files.