Hello, so recently I’ve been getting crazy attacks on my website from a lot of IPs, averaging over 200M up to 10B requests at once. All of them got challenged instead of being blocked, even though I have Bot Protection enabled.
Problem
The attackers were not attacking my actual website itself or the API; they were attacking my /avatar.jpg path, which is a file in my public folder used for default user headshot avatars.
Current Behavior
These attacks wasted my Edge Requests quota.
I manually created rules to Deny an IP instead of Challenging it, but it still seems to be charging me.
One IP accumulated around 5B requests in an hour.
In the last 6 hours, I have 1.1M Edge Requests from the attacks again.
Even if they are challenged, the Edge Request still counts and they aren’t being blocked for some reason.
I have Bot Protection set to Deny, and I am on the $20 Pro Plan.
Impact
From my 10M Edge Requests limit, 4.4M is already used. Legitimately, my website would barely have a few thousand Edge Requests per day. Ever since these non-stop attacks, my usage grows to 500K per day! Soon Vercel will start charging me for unnecessary, illegitimate requests that they claim to have “blocked” or “challenged.”
I have to manually add over 50 IPs in the IP block rule just to prevent this, then the attackers come in from a different source.
Questions
What is there to do? My website has not lagged, but it’s going to make me get overcharged for bots.
I do not have the paid OWASP rules, and I can’t even make a rate-limit rule without it asking for $0.50 per 1M requests.
If my website gets hit again with 10B requests, do I just pay $5000 because of it?
The attack just now dropped around 10:30 AM my time (GMT+2), from 45K requests per hour to 3K, then 1K (around my normal count, but still too high).
This large attack has been ongoing for days. Turning on I’m Under Attack mode didn’t solve the issue; they never stopped, only recently. While it was enabled, it kind of worked and did not make it really use my Edge Requests. It’d be great if someone would really help me out.
You’re right that challenged requests from Bot Protection do count toward your Edge Request usage. This is because the challenge itself requires serving a response. However, there are ways to better protect yourself:
Keep Attack Challenge Mode enabled as this provides the strongest protection and blocked requests don’t count toward usage
Use Custom WAF Rules to DENY (not challenge) traffic from specific patterns: block the /avatar.jpg path entirely if possible, JA4 fingerprinting to block bot patterns and set up geographic blocking if attacks come from specific regions.
You should also turn on Spend Management to set hard limits and prevent unexpected charges.
I need the /avatar.jpg path, and I don’t see the option to include JA4 fingerprint in the blocking or whatever. And my spend management has been automatically turned on after the attack started. This doesn’t really help me and it’s not the solution
AND one of these patterns that distinguish bots:
• Missing common headers (like Accept-Language, Accept-Encoding)
• Suspicious User-Agent patterns
• Request rate > X per minute from same IP
Action: DENY (not challenge)
Monitor your Edge Request logs to identify patterns unique to the attackers
DENIED requests are free, CHALLENGED requests cost money. Focus on denial rules rather than challenges
Im gonna get rid of the avatar.jpg file simply so my edge request quota doesn’t increase again which it probably will when the attackers find out I got rid of the file, watch my website’s deployment get paused in a few days because of this stupid quota thing and it’s not me that was challenging the requests it’s vercel’s bot protection feature or whatever
Literally with the vercel dashboard and the fact I only have pro plan i cannot even see the headers or whatever the requests are being done with, I can’t see anything or do anything. You guys just want money, for everything. I can’t do anything without it asking me for money
To resolve this, the user should implement Custom WAF Rules with a DENY action rather than a challenge, as denied traffic does not count toward Edge Request usage. For immediate mitigation during an active attack, enabling Vercel’s “Attack Challenge Mode” provides high-level protection where blocked requests are also excluded from usage billing.
