CloudFlare != DDoS protection.
It's unfortunately not a uncommon misconception and it actually goes for all the CDN's really.
So people can have a more in-depth analysis of why CloudFlare isn't a true DDoS protection by default and not comparable to hw based equipment at any time:
1.) To kick it off, the free version offers 0.0% DDoS mitigation. You have to look at the business class as an entry-level to be eligible for their DDoS protection.
2.) Even with the DDoS protection, you are facing multiple problems:
1.) CloudFlare only mitigates attacks that come through their IP's, as such:
2.)
If the real IP of the server is discovered, CloudFlare is taken out of the equation = no protection. 3.) By default, a CloudFlare setup makes it childs play to get the real IP = See 2.2
4.) By using CloudFlare, even while you took some steps to ensure the real IP cannot be found easily, you are still only protected for the http front-end. Attacker signing up at forum: get welcome email = hello real IP! == See 2.2
5.) Unfortunately, sometimes CloudFlare passes along your real IP for DMCA purposes; whether the requests are legit or not, making you end up at: See 2.2.
That means that in order to get any protection from CloudFlare at all you:
1.) Cannot use the free version, at least the entry business model is mandatory
2.) Need to take multiple steps, both on cloudflare as on the server, to make sure the IP will be far more difficult to obtain than usual (And that doesn't even include old historical records that can be found on the internet...) though I don't dare say it's 100%, it's not unheard off that it's been found regardless.
3.) Can no longer use your own server(s) to send out email; it must be loaded off to a third party or server on another range. (Depending on the volume, that may again also imply extra costs.)
4.) For protections sake, using easy subdomains to connect to stuff like FTP will be out of the question. (Though not really problematic...)
And last but not least, 5.) See previous list, point 2.2
On a sidenote, keep in mind that SSL needs some changing around as well and requires the use of CloudFlare as "Man in the Middle" for your encrypted traffic to pass through. Naturally, connecting directly to the servers SSL will result in: see previous list, point 2.2.
Real DDoS protection cannot be offered for free nor is CloudFlare a true anti-DDoS mechanism that can be compared to hardware + network level equipment, it will mitigate it yes but ways that can take CloudFlare out of the equation make you end up with no protection and thus losing your money and uptime regardless if that situation occurs.
True DDoS protection, for as far as that's possible and usually also limited to x amount of gbps and/or packets per second to be mitigated, will not cost you less than $1000 USD per month per server and even that is actually acceptably cheap. For example if you intend to block a 10Gbit/sec attack, don't expect to be done with a mere $1k a month. On top of it all, one might still be charged for some, and sometimes even all, traffic that is generated...
In conclusion, while CloudFlare's paid version may help after making multiple rather aggressive changes to the server setup and making damn sure you change CloudFlare's default setup and may do it's job well, especially for the prices, the guarantees you have are absolutely zero point zero. (Get what you pay for (TM))
It all boils down to the IP, if that has once been found; moving to a whole new set is mandatory and naturally figuring out how they obtained it is, otherwise you can keep playing hide and seek forever.
