I think I found how most our websites getting attacked even from very normal users not from hackers.
I found this application which is very cheap and simulates users from all the world, it is called:
Simple Traffic Bot https://simpletrafficbot.com/
I just contacted the site owner 
Hello,
Does this application really simulates different locations? That’s it will call
the website from different cities all over the world or from cities that I can decide.
I mean in google analytics I will see the users coming from different cities
from different countries?
and he replied immediately with:
Hi
my software use Tor proxies from all the world : https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
Now we have detected the source of the problem and how it is done.
The question, can we block all these ip’s used by torproject at the link he provided. are these proxies used by some percentage of normal visitors.
What a firewall rule can be used to block these ip’s
Please note I am not advertising for this type of app, I have a business and my comptitors using these tools to attack my website and this is the only reason I joined and used cloudflare but until now cloudflare is unable to block these attacks.
