JS Verify not working

I’m testing Layer 7 security on my website. I created a WAF rule that requires JS verification if requests are made from non-European IPs. The problem is that the site still goes offline with a gratuitous attack, and it seems that the bots are able to bypass the JS verification even though on the “WAF” page I see a PVR of 0%.

I discovered that even if I enable the “I’m under attack” mode and launch a layer 7 attack the attack is not mitigated and my VPS uses 100% of the resources causing the site to crash