As problematic as a solution like Cloudflare is, it's still probably the only serious option, even today. Anything else is a constant cat-and-mouse game. I've done a bit of fail2ban work to make my own anti-DDOS or psuedo-WAF and such, but any site under the threat of an arbitrary DDOS attack really only has Cloudflare (or other, worse options like Akamai, cloud, etc).