[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live) [Help](/c/help/9) # Why challenged DDoS requests count as Edge Requests on Vercel Pro Plan 1 view · 0 likes · 11 posts Sturmgeisty (@sturmgeisty) · 2026-04-08 Hello, so recently I’ve been getting crazy attacks on my website from a lot of IPs, averaging over 200M up to 10B requests at once. All of them got challenged instead of being blocked, even though I have **Bot Protection** enabled. ## Problem The attackers were not attacking my actual website itself or the API; they were attacking my `/avatar.jpg` path, which is a file in my `public` folder used for default user headshot avatars. ## Current Behavior - These attacks wasted my `Edge Requests` quota. - I manually created rules to **Deny** an IP instead of **Challenging** it, but it still seems to be charging me. - One IP accumulated around 5B requests in an hour. - In the last 6 hours, I have 1.1M `Edge Requests` from the attacks again. - Even if they are challenged, the `Edge Request` still counts and they aren’t being blocked for some reason. - I have **Bot Protection** set to **Deny**, and I am on the $20 **Pro Plan**. ## Impact From my 10M `Edge Requests` limit, 4.4M is already used. Legitimately, my website would barely have a few thousand `Edge Requests` per day. Ever since these non-stop attacks, my usage grows to 500K per day! Soon Vercel will start charging me for unnecessary, illegitimate requests that they claim to have "blocked" or "challenged." I have to manually add over 50 IPs in the IP block rule just to prevent this, then the attackers come in from a different source. ## Questions 1. What is there to do? My website has not lagged, but it’s going to make me get overcharged for bots. 2. I do not have the paid **OWASP** rules, and I can’t even make a rate-limit rule without it asking for $0.50 per 1M requests. 3. If my website gets hit again with 10B requests, do I just pay $5000 because of it? The attack just now dropped around 10:30 AM my time (`GMT+2`), from 45K requests per hour to 3K, then 1K (around my normal count, but still too high).   This large attack has been ongoing for days. Turning on **I'm Under Attack** mode didn’t solve the issue; they never stopped, only recently. While it was enabled, it kind of worked and did not make it really use my `Edge Requests`. It’d be great if someone would really help me out. Sturmgeisty (@sturmgeisty) · 2026-04-08 I would really need a staff to help me out please, thank you Pauline P. Narvas (@pawlean) · 2026-04-08 Hey, thanks for the detail! You're right that challenged requests from Bot Protection do count toward your Edge Request usage. This is because the challenge itself requires serving a response. However, there are ways to better protect yourself: - Keep [Attack Challenge Mode](http://vercel.com/docs/vercel-firewall/attack-challenge-mode) enabled as this provides the strongest protection and blocked requests don't count toward usage - Use Custom WAF Rules to DENY (not challenge) traffic from specific patterns: block the `/avatar.jpg` path entirely if possible, JA4 fingerprinting to block bot patterns and set up geographic blocking if attacks come from specific regions. - You should also turn on [Spend Management](http://vercel.com/docs/spend-management) to set hard limits and prevent unexpected charges. Sturmgeisty (@sturmgeisty) · 2026-04-08 I need the /avatar.jpg path, and I don’t see the option to include JA4 fingerprint in the blocking or whatever. And my spend management has been automatically turned on after the attack started. This doesn’t really help me and it’s not the solution Sturmgeisty (@sturmgeisty) · 2026-04-08 The attacks are still continuing from a lot of different IPs even turning on Im under attack mode, same path “/avatar.jpg”. Pauline P. Narvas (@pawlean) · 2026-04-08 https://vercel.com/kb/guide/deny-traffic-from-a-set-of-ip-addresses This might be helpful to deny that path? Pauline P. Narvas (@pawlean) · 2026-04-08 Here's what I recommend: 1. Go to your project's Firewall settings 2. Create a Custom WAF Rule with these conditions: - Path equals /avatar.jpg - AND one of these patterns that distinguish bots: • Missing common headers (like Accept-Language, Accept-Encoding) • Suspicious User-Agent patterns • Request rate > X per minute from same IP - Action: DENY (not challenge) 3. Monitor your Edge Request logs to identify patterns unique to the attackers DENIED requests are free, CHALLENGED requests cost money. Focus on denial rules rather than challenges Does that help? Sturmgeisty (@sturmgeisty) · 2026-04-08 Im gonna get rid of the avatar.jpg file simply so my edge request quota doesn’t increase again which it probably will when the attackers find out I got rid of the file, watch my website’s deployment get paused in a few days because of this stupid quota thing and it’s not me that was challenging the requests it’s vercel’s bot protection feature or whatever Sturmgeisty (@sturmgeisty) · 2026-04-08 Literally with the vercel dashboard and the fact I only have pro plan i cannot even see the headers or whatever the requests are being done with, I can’t see anything or do anything. You guys just want money, for everything. I can’t do anything without it asking me for money Pauline P. Narvas (@pawlean) · 2026-04-08 I'm sorry you feel this way. Let me send you a DM :slight_smile: Community Backoffice (@community-backoffice) · 2026-04-08 ## Solution summary To resolve this, the user should implement Custom WAF Rules with a `DENY` action rather than a challenge, as denied traffic does not count toward Edge Request usage. For immediate mitigation during an active attack, enabling Vercel's "Attack Challenge Mode" provides high-level protection where blocked requests are also excluded from usage billing.