Site under DDOS attack, “I'm under attack” mode not working

I have several rules which are set up to present a captcha challenges to TOR users (because, currently, Tor nodes are where the vast majority of the attacks are coming from) as well as presenting captcha challenges to nodes in countries that have a high Attack:Legitimate ratio.
These rules are triggering hundreds of thousands of times, but they are doing the “Managed Challenge” routine (which I suspect is JS challenges). This is one of the issues that I don’t get; Why is cloudflare firewall doing “managed” if I have set up the rules for Captcha challenges?
I am on the free plan.

The attacks only concentrate on the root /

These triggers are on my Country-based firewall rule, which is supposed to present captcha challenges, but apparently it is not:

Right now TOR nodes are the major source, but the attacks are dynamic and these can change. They used to come from Cambodia, and China in the last round. The attacks are trigged by a specific person that appears to have software to specify the name of the web site for all of these nodes to attack

I have currently set security to “Medium” since "Under Attack mode and “High” do not seem to make any difference in stopping these attacks. I have currently also set up the challenge passage intervals to 1 year to minimize inconvenience, and setting it to shorter intervals does not appear to to make a difference (at least not in an immediate sense):

Also here is an excerpt from the server logs during the attack where you can see most of the user agents are Fedora and Ubuntu based. My firewall rules already were set to present captchas for these UAs but cloudflare is doing “Managed” challenges as mentioned earlier, which may not be captchas. Either way they are sliding through the firewall by the thousands:

Summary

example.com 5jeeI/qGu/j26W/DoaZpNA - - [28/Dec/2021:19:52:45 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36” {1453:5256,7593}
example.com UCbmQQCleqPmv1wnbIUKaQ - - [28/Dec/2021:19:52:45 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0” {1431:5256,9343}
example.com xFWxpYck80Yap84FbQ3HqA - - [28/Dec/2021:19:52:45 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36” {1453:5256,9596}
example.com xGxLQJzb+b9swstiD06nAQ - - [28/Dec/2021:19:52:46 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0” {1427:5256,9365}
example.com RJE6vx38xvSQlnafZFPm1Q - - [28/Dec/2021:19:52:45 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0” {1448:5256,1009684}
example.com i0kxQYZXWBtFUH5f8uBs5Q - - [28/Dec/2021:19:52:46 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15” {1464:5256,7981}
example.com CWUHpE09r/vWjrBWVz9EHA - - [28/Dec/2021:19:52:46 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0” {1414:5256,12272}
example.com E+RbitkaN5FOYwghD+mcwQ - - [28/Dec/2021:19:52:46 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (X11; Linux i686; rv:91.0) Gecko/20100101 Firefox/91.0” {1436:5256,7854}
example.com V6JBCjAyZbRnHh11G1azhg - - [28/Dec/2021:19:52:47 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17” {1480:5256,8886}
example.com 4huwxNjPLqZ4MaIZL2fPkw - - [28/Dec/2021:19:52:47 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 12.0; rv:91.0) Gecko/20100101 Firefox/91.0” {1430:5256,8924}
example.com i5SgbHQkcetYXaoHWwaq4Q - - [28/Dec/2021:19:52:47 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.34” {1504:5256,8519}
example.com G07q3DFD9YgKbTyUuCJ/4g - - [28/Dec/2021:19:52:48 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15” {1469:5256,8743}
example.com 3ENRSlxLUdOiBMtIp3w/Uw - - [28/Dec/2021:19:52:48 +0000] “GET / HTTP/1.1” 302 - “https://www.example.com/” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0” {1427:5256,9527}
example.com LZpDZ8yv4C97AcBRIn+V5Q - - [28/Dec/2021:

My IP address has never been exposed to the public and I have no reason to believe these are back door attacks (but I suspect by “backdoored” you might be referring to something else).

Thanks!