"Under Attack" page regularly presented, but "Under Attack" mode is not turned on

I have a custom “Under Attack” page, and it contains an AJAX logging call. I see in the log that our “Under Attack” page gets several hits a day, even though I haven’t manually turned on “Under Attack” mode in a long time.

Most of the IPs are from Asian countries.

Does Cloudflare present an “Under Attack” challenge when it thinks it sees a DDoS attack, even when “Under Attack” is turned off? I can find nothing in the documentation about this.


Do you mean the JS-Challenge page? Like this:

And if so, then yes, if Cloudflare believes the request is malicious then it can present these based on your Firewall mode, I always set mine to “Essentially off” but I believe the only way to ensure these aren’t shown at all is to turn it to “Off” which requires an Enterprise subscription

Thanks for responding.

I don’t know specifically what Cloudflare is showing to the user. I only have my AJAX-generated logs, which show that the “Under Attack” custom page is being shown users many times a day.

I also have defined a custom page for Challenges, and that gets logged too. There’s much less activity there, maybe every fews days, which was surprising to me.

So, I guess Cloudflare is using the “Under Attack” challenge page a lot more than the JS-Challenge page, which is coming as quite a shock. I was really led to believe the “Under Attack” page would only be used when I explicitly turned that mode on. This means my custom “Under Attack” page is worded incorrectly.

Is there any place this particular behavior is documented? I’ve found nothing to support this theory, but the logs don’t lie.

There’s this article

But it doesn’t mention that the “Under Attack” page is different to the JS-Challenge page, I believe they are the exact same thing, perhaps poorly named in the Custom Pages section.

I hope someone from Cloudflare can clarify this for you @stefano1

Thanks. Like all Cloudflare’s documentation, the one you sent suggests “Under Attack” mode is only manually enabled.

The “Under Attack” page is definitely different than the JS-Challenge page. The JS-Challenge page is not customizable, as it doesn’t involve much human interaction (it runs JavaScript to establish that the user is real).

There is a different custom page for the “Basic Challenge” page, versus the “Under Attack” page. However, the “Basic Challenge” page doesn’t seem to be used much.

I’m sure someone at Cloudflare could answer this. I just thought I was missing something obvious, but I should open a ticket.

Thanks again for your detailed responses!

Hey @techteam do you have any opened ticket with us? If yes could you just drop the number of the ticket here?

In general, I suggest, when you have an issue, to follow our Troubleshooting FAQ here and provide some more context like screenshots, a HAR file demonstrating the issue would be also great.

Make sure to set up your Browser’s Developer tools to “Preserve Logs” when you export HAR.

So from my understanding:

You can always check your FW (firewall) Analytics and get an idea, filter those requests

and then go and get the Activity logs and extract useful info,

You can gather all required information in case that you think that something is wrong and attach all info in a ticket.

Let me know if that points to the right direction, or you need more help!

Thank you for all this effort, but I think the original point is being missed. This is a very general question. Why would the custom challenge page for “Under Attack” mode be displayed several times per day, even when “Under Attack” mode is off?

I don’t think perusing the firewall logs is going to help address this. None of the filters in the Firewall activity log seem to mention “Under Attack” mode at all.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

Hey @techteam, sorry for the confusion,

The short answer to the initial question, is no.

Like I said in my previous reply,

you should be able to check any activity within your Cloudflare’s dashboard

Do you mind open a ticket next time you will observe such a behaviour so we can check that directly?