Week 5 of full blown DDOSs attacks. What am I doing wrong?

Tedious attack has cost my company thousands of dollars.

Under attack mode enabled, does absolutelynothing.
I have “DDos” set to HIGH and Block, it’s doing absolutely nothing.
I blocked every country except the united states, site is still getting hit by U.S. IP’s, does absolutely nothing.
Rate limit stops the attack but completely breaks the site.

Attached are a couple requests out of sevral million my sites receiving hourly.

What can I attempt to deploy to stop this?

Those requests were blocked by Cloudflare’s DDoS protection.

Did you follow the advice from people in the previous posts you made on this?

Until you give the domain and show the rules you have in place and details of the attack traffic, it’s hard for anyone to give more specific advice than already given.


Block country’s or continents isn’t the solution.

Do you know the attacker is using open proxys or http/2 or http/1.1 connections?

Not true, for example just block 10 requests per 10 seconds during 1 minute and problem will be almost solved

No human or web crawler do requests so fast, just a few false positives.

Just read you said the rate limit breaks your images, so apply this rate limit rule:

If incoming requests match…

Because every image contains a dot extension, name.jpg, name.png, etc everything will work