Rate limit delay before blocking?

I’ve noticed some instances like this:

The first request at 3:35:53 should have caused a 1 hour block to begin, but 10 seconds later another request comes in. After this, there were 10 more requests from this IP over the following few seconds.

I have two questions:

  1. Does the activity log here continue to show attempts that are happening as part of the 1 hour block? If so, the logging here makes much more sense.
  2. Is there a delay between when a rate limit is reached and when the action (block in this case) is instituted? If multiple requests come in at the “same time”, and the first request trips the rate limit, do the other requests get blocked?

Yes, that’s what it looks like. Rate Limiting cannot stop visitors from making requests, it can only block or challenge them, and every such action is logged in the Security Events panel, as reflected here in the “Action taken” column.

Please see: Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs, from where I quote:

In some situations, there may be a delay (up to a few seconds) between detecting a request and updating internal counters. Due to this delay, excess requests could still reach the origin server before Cloudflare enforces a mitigation action (such as blocking or challenging) in our global network.