How to block?

My website has been receiving the following attack:

  • It’s spread all around the world.
  • The IPs are related to home addresses or servers (very little).
  • They are Bypassing 5-second challenge.
  • They are Bypassing CAPTCHA.
  • The attack is reaching over 2k IP Addresses.
  • I can’t block countries because it’s so spread and then, my traffic is just spread over the world as well.
    I’m quite desperate, I added a rule to CAPTCHA all countries that are generating many requests, but it has no effect.
    Then, I also added a rule to captcha those ips that have >= 10 threat score.
    Nothing worked in the end.
    Just to clarify, my backend only allows requests from Cloudflare and yes, I can see all the requests reflected in the panel (about to surpass 7 million now).

Can you share the name of the domain?

Attacks stopped right now (attacker stopped), site is up, however is it possible to send you the domain privately? I would not like to send it publicly.

Understood, I just sent you a note and we can communicate there.