← Glossary / Cloudflare Under Attack Mode

What is Cloudflare Under Attack Mode?

Cloudflare Under Attack Mode (UAM) is a heightened security posture that forces every visitor to pass an active JavaScript challenge before reaching the origin server. Designed to mitigate Layer 7 DDoS attacks, it acts as a blunt-force filter against scrapers by returning a 503 Service Unavailable status with an embedded cryptographic puzzle. If your pipeline lacks a full JavaScript execution environment and a pristine browser fingerprint, your requests will stall at the edge.

Layer 7 MitigationJS Challengecf_clearance503 StatusEdge Compute
// 02 — definitions

The blunt-force
filter.

When a target flips the UAM switch, passive fingerprinting is no longer enough. You must actively prove your browser's computational legitimacy.

Ask a DataFlirt engineer →

TL;DR

Under Attack Mode intercepts all traffic at the edge, serving a 503 response containing a JavaScript challenge. The client must execute the JS, solve a proof-of-work puzzle, and submit the result to receive a cf_clearance cookie. For scraping pipelines, UAM instantly breaks any HTTP-only fetcher and forces a shift to headless browsers or specialized challenge-solving infrastructure.

01Definition & structure
Cloudflare Under Attack Mode is a global or path-specific toggle in the Cloudflare dashboard. When active, it bypasses standard firewall rules and forces a 5-second interstitial page (the "checking your browser" screen) on all unauthenticated traffic. It is designed to stop Layer 7 DDoS attacks by ensuring only clients capable of executing JavaScript can reach the origin.
02How it works in practice
The edge returns a 503 status code with an HTML body containing obfuscated JavaScript. The script profiles the browser environment (canvas, WebGL, navigator properties) and computes a mathematical proof of work. If the result is valid, Cloudflare issues a cf_clearance cookie valid for a set duration. Subsequent requests presenting this cookie bypass the challenge.
03The computational cost
The challenge is designed to be trivial for a single human user but computationally expensive for a botnet or scraper making thousands of concurrent requests. It forces the attacker to spend CPU cycles, shifting the economic burden of the attack from the server to the client. For scraping pipelines, this drastically increases the infrastructure cost per request.
04How DataFlirt handles it
We detect the 503 UAM response instantly. Instead of routing the request to a standard HTTP worker, our edge dynamically escalates the session to a lightweight, hardware-backed browser node. The node solves the challenge, extracts the clearance cookie, and downgrades the session back to HTTP for subsequent, high-throughput extraction.
05The silent failure mode
Many naive scrapers see the 503 status and assume the target server is down, triggering exponential backoff retries. Retrying a UAM 503 without executing the JavaScript just burns proxy bandwidth and guarantees an eventual IP ban. You must parse the response body to differentiate a true origin 503 from a Cloudflare UAM 503.
// 03 — the challenge math

Calculating the cost
of clearance.

UAM shifts the economic burden of traffic from the origin server to the client. DataFlirt models this computational cost to optimize our challenge-solving fleet and maintain pipeline margins.

Clearance validity window = Tvalid = cookie_expirycurrent_time
Typically 15 to 120 minutes. Throughput must be maximized during this window. Cloudflare Dashboard Defaults
CPU cost per solve = Csolve = JS_execution_time × worker_vCPU_rate
Headless execution costs ~14x more than a raw HTTP GET request. DataFlirt Infrastructure Metrics
Effective throughput = Reff = (Nsessions × req_per_clearance) / Tvalid
DataFlirt's target metric for maintaining volume on UAM-protected pipelines. Internal SLO
// 04 — the edge exchange

Negotiating the
503 interstitial.

A trace of a DataFlirt worker encountering UAM, escalating to a browser context, solving the proof-of-work, and securing the clearance cookie.

503 Service UnavailableJS Executioncf_clearance
edge.dataflirt.io — live
CAPTURED
// initial HTTP GET
GET /category/electronics HTTP/2
status: 503 Service Temporarily Unavailable
server: cloudflare
body: "<!DOCTYPE html>...<title>Just a moment...</title>..."

// UAM detected -> escalating to browser node
node.provision: hardware-backed Chrome 124
js.execute: _cf_chl_opt; setTimeout(function(){...}, 5000);
pow.compute: solving cryptographic puzzle...
pow.result: 0x8f7a2b9c

// submitting solution
POST /cdn-cgi/challenge-platform/h/g/flow/ov1/
status: 200 OK
set-cookie: cf_clearance=t8a...; Max-Age=1800; HttpOnly; Secure

// downgrading to HTTP worker for extraction
GET /category/electronics HTTP/2
cookie: cf_clearance=t8a...
status: 200 OK // origin reached
// 05 — failure modes

Why UAM breaks
standard pipelines.

Under Attack Mode is a blunt instrument, but it effectively neutralizes 90% of off-the-shelf scraping tools. Here is where pipelines typically fail when UAM is activated.

UAM ENCOUNTERS ·  ·  ·    1.2M/day
SOLVE RATE ·  ·  ·  ·  ·  99.4%
AVG SOLVE TIME ·  ·  ·    5.2s
01

Lack of JS execution

94% of failures · HTTP-only clients cannot solve the puzzle
02

Fingerprint mismatch

82% of failures · Headless Chrome detected during JS profiling
03

IP reputation blocks

65% of failures · Datacenter IPs given impossible challenges
04

Cookie mismanagement

41% of failures · Failing to pass cf_clearance downstream
05

Timeout thresholds

28% of failures · Scraper aborts before the 5s delay completes
// 06 — our architecture

Dynamic escalation,

solving challenges only when necessary.

Running a full browser for every request is economically unviable. DataFlirt uses a dynamic escalation architecture. We default to high-speed HTTP workers. When a 503 UAM response is detected, the session is instantly paused, handed off to a hardware-backed browser node to solve the challenge, and then handed back to the HTTP worker with the cf_clearance cookie attached. This gives you the bypass capability of a real browser with the throughput and cost-efficiency of a raw HTTP pipeline.

UAM Escalation Trace

Live metrics from a session navigating a UAM-protected target.

session.id uam-esc-8842
initial.status 503 Service Unavailable
escalation.node chrome-hw-pool-04
challenge.solve_time 5.12s
cookie.cf_clearance acquired
cookie.ttl 1800s
subsequent.reqs routed via HTTP

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about Cloudflare's Under Attack Mode, challenge solving, and maintaining throughput during DDoS mitigation events.

Ask us directly →
Is it legal to bypass Cloudflare Under Attack Mode? +
Bypassing UAM to access public data is generally treated the same as standard web scraping under laws like the CFAA in the US. UAM is a traffic management tool, not an authentication gate. However, aggressively hammering a site that is actively under a DDoS attack can cross the line into disruption of service. We throttle our concurrency during UAM events to ensure we don't contribute to origin strain.
Can I solve UAM with Puppeteer or Playwright? +
Out of the box, no. Cloudflare's JS challenge profiles the browser environment. Standard Puppeteer leaks dozens of headless indicators (like navigator.webdriver). You need heavily modified browser environments, residential proxies, and perfect TLS fingerprints to consistently pass the challenge.
Why do I get a CAPTCHA instead of a JS challenge? +
UAM dynamically adjusts its friction based on your IP reputation and browser fingerprint. If your proxy is flagged or your fingerprint is highly anomalous, Cloudflare escalates from a silent JS challenge (managed challenge) to an interactive CAPTCHA (Turnstile or hCaptcha) that requires human-like interaction.
How long does the cf_clearance cookie last? +
It depends on the target's Cloudflare configuration. The default is 30 minutes, but administrators can set it anywhere from 15 minutes to 1 year. Once acquired, you must attach this cookie—along with the exact User-Agent used to solve the challenge—to all subsequent requests.
How does DataFlirt maintain throughput when UAM is active? +
We decouple challenge solving from data extraction. A dedicated pool of browser nodes continuously harvests and refreshes cf_clearance cookies. Our high-speed HTTP workers check out these cookies from a central state store, allowing them to scrape at thousands of requests per second without ever executing JavaScript.
Does UAM block API endpoints as well as HTML pages? +
Yes. When UAM is enabled globally, it applies to all routes, including JSON APIs. This is why mobile apps often break during UAM events. To scrape an API under UAM, you must first solve the challenge on an HTML endpoint to get the clearance cookie, then pass that cookie in your API request headers.
$ dataflirt scope --new-project --target=cloudflare-under-attack-mode READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Bot Bypass

Cloudflare Bot Management

The broader enterprise suite that powers UAM's underlying fingerprinting and challenge logic.

Read →
Anti-Bot Bypass

Cloudflare Challenge Page

The interstitial 503 page where the JavaScript proof-of-work puzzle is actually executed.

Read →
Anti-Bot Bypass

JavaScript Challenge

The mechanism used by UAM to force clients to prove computational legitimacy.

Read →
Anti-Bot Bypass

Browser Fingerprinting

How Cloudflare determines if your browser is real enough to be issued a clearance cookie.

Read →