1. Block external traffic to your server (outside Cloudflare)
2. Create a WAF to block countries that are not the main source of your traffic, e.g.: China, Russia, Singapore, Korea, Pakistan, India
3. Adjust the rate limit, you can do it through the NGINX configuration, but on Cloudflare it is free 1 rule
4. Configure more aggressive caching on static pages
5. Examine the logs, usually stressers/booters always send a query like “i=XXXX” or others in the URL to bypass the cache, check and block it through Cloudflare’s WAF, it will probably take a while to change, while you can breathe
6. Block ASNs that are part of many attacks, such as AWS, DigitalOcean, Hetzner, Contabo, AT&T, Datacamp, Leaseweb, Quadranet, OVH, ColoCrossing (it was one of the solutions I used to solve it)

Here are my WAF rules:

1. JS Challenge

(ip.geoip.country in {"AL" "AD" "AM" "BY" "BF" "BI" "CN" "FJ" "GF" "GT" "GY" "HT" "HN" "HK" "KP" "KR" "MO" "MW" "MY" "RU" "SG" "SR" "VE" "VN"}) or (cf.threat_score gt 70) or (http.user_agent contains "curl") or (http.user_agent contains "python") or (http.user_agent contains "Go-http-client")

2. Block

(ip.geoip.asnum in {24940 26347 43350 7018 58111 8075 47583 16628 205016 31898 45102 204548 46562 35320 54483 398101 27715 202269 32329 7489 8100 46606 40021 21887 12876 22394 25820 208226 13213 35612 38365 45090 17816 22773 4812 7849 14618 26496 13287 132203 14103 27967 1759 41508 8972 35916 60781 2152 29066 1239 24961 7162 395336 39378 266400 64200 210558 399486 198605 28539 212238 272043 14576 56655 9152 9050 8953 265919 47583 263093 27715 7162 46407 60068 40676 199524 212238 60068 210630 53667 132203 45090 137876 133478 23033 27176 20278 397966 49157 11989 52468 174 1239 58212 20473 6939 16276 6147 6057 3352 397630 5089 7018 20115 701 18779 5650 209 395954 8560 398101 26496 26347 12876 46261 20773 21859 25780 29802 30083 32097 32475 33070 33182 33387 36024 36351 36352 42473 46475 46664 49544 52219 53559 55933 62567 63473 63949 136258 202053 203629 24549 200019 8851 28753 21559 9009 42675 62240 11427 265613 25369 42624 26548}) or (ip.geoip.continent in {"T1"}) or (ip.geoip.country in {"BY" "BA" "BG" "CN" "CY" "SV" "FK" "FO" "GL" "HN" "HU" "JE" "JO" "XK" "LI" "MK" "MT" "MD" "OM" "RS" "SK" "SI" "AE"}) or (http.request.uri.path contains "/cms") or (http.request.uri.path contains "/wp") or (http.request.uri.path contains "/wordpress") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "\\xC9") or (http.request.uri.path contains "xmlrpc.php")

ek goz at: https://github.com/chaitin/SafeLine