Simple: Connect larger NICs and do "dumb" DDoS filtering at your fattest point.
Consider an HTTP daemon serving static content on a physical server. If that physical server has a 10Gig NIC it will withstand 90%[0] of the real-world DDoS attacks which would affect the same server with a 1Gig NIC.
"Dumb" DDoS filtering means blocking UDP and SYN floods, and other simple attacks. Your goal is essentially to block traffic which could be spoofed, making your downstream traffic somewhat attributable. Many ISPs provide functions like this, and is not nearly as complicated or invasive as letting Cloudflare MITM every bit of your traffic.
Any effort past that point should just be made in caching static assets, and optimizing dynamic pages. If your website uses sessions, you can implement basic rate controls very easily. No WAF required!
[0]: I made it up
> I made it up
I appreciate the honesty, at least
This conclusion stems from that it is much easier to launch a DDoS from a single server w/ spoofed traffic than to use a botnet. If you have a single 10Gig server, you will likely not be able to take down another 10Gig server unless the target is already doing near 1gbps[0]. I believe most "noise" DDoS which effects random website operators is considerably less than 10Gbps, and pretty much every giant attack uses spoofed traffic which can be blocked upstream without a WAF. So long as your upstream is big enough.
[0]: I made it up, again.
DDoS is distributed denial of service. It isn't coming from one server. It's now trivial to buy 100 Gbps or more of DDoS so sites would need 400G or more to simply eat it.
If you have a single server flooding spoofed traffic, it appears as a DDoS to the victim. It's at this point that the distinction between DoS/DDoS breaks down slightly.
It is very much not "trivial" to buy 100Gbps+ of DDoS. I'm highly confident the majority of D/DoS attacks are from single servers, because it works. If you have a 10Gbit server and your target has 1Gbit (or you 1Gbit and them 100Mbit, it still happens), it's not a question of if you can take the target down, but how long you can sustain that traffic level before your upstream notices.
Painting every D/DoS as the most bandwidth ever is a play out of Cloudflare's marketing. If every website operator knew that 1, you don't need that much bigger of a pipe, and 2, you shouldn't buy pipes that charge you $20+/TB like AWS anyway, then Cloudflare would have a much harder time selling you a downgrade in quality, and we would have faster and cheaper networks to boot.