My website has been receiving the following attack:
- It’s spread all around the world.
- The IPs are related to home addresses or servers (very little).
- They are Bypassing 5-second challenge.
- They are Bypassing CAPTCHA.
- The attack is reaching over 2k IP Addresses.
- I can’t block countries because it’s so spread and then, my traffic is just spread over the world as well.
I’m quite desperate, I added a rule to CAPTCHA all countries that are generating many requests, but it has no effect.
Then, I also added a rule to captcha those ips that have >= 10 threat score.
Nothing worked in the end.
Just to clarify, my backend only allows requests from Cloudflare and yes, I can see all the requests reflected in the panel (about to surpass 7 million now).