CFs single biggest piece of leverage on L7 DDoS is that once a node in a botnet attacks one of their properties, it usually can’t be used to attack any others for a substantial duration. Botnets rely on being retasked frequently so this dramatically reduces their effectiveness. Volumetric DDoS is even worse: you need to have the peering relationships and hardware to handle Tbps of traffic to an IP you announce. Doing either of these in your own infra is not feasible if you’re much smaller than a hyperscaler.
right, CF (along with Google and Meta) is already servicing double-digit percentages of the world's traffic so it can absorb whatever packets you can toss at it. On the other hand, I suspect most services are going to fall over at L7 first due to common patterns like pre-forked ruby/python servers that struggle to process more than 1k qps per node, unauthenticated user actions putting load on hard-to-scale resources like RDBMS, next to no load shedding designed into the system, etc.
