It's kind of like a captcha for browsers. It proves that Javascript is working in the client (a legit browser or sophisticated bot), and it also slows down the traffic. If your client hits the server before the timer is out, you must be a bot.

Nice.

ugh, does this mean I have to allow javascript here from now on?

Only until the DDoS is over, it's a temporary measure to protect against it.

Was worried something weird was happening on my phone but glad this is just a cloudfare thing!!