Cloudflare doesn't help if they DDoS your server's IP directly ... You can also "hide" your IP by activating CF on all subdomains (the orange cloud thingy), but people always find a way to find server's IP and attack it (the CF doesn't help there at all, they only filter packets that are going through their servers which your domains resolve to).

How would they find the IP if you don't have it used in any DNS records? Unless Cloudflare exposes the real IP at times and you've taken all the proper preventative measures I don't see how this is possible...

There are ways. You could use services like domaintools and get IP history if you did use any of the IPs in the past. You could get the IP from e-mail headers, if the website sends e-mails during registration, password recovery, etc. You could look for ways for a server to make a request somewhere and log its IP, like posting an image on a forum, some forums do that. And this is just off the top of my head.

Right, in most cases though those holes are easily plugged. When switching over to CF don't use an IP that was ever public-facing for your site, use distributed systems like Amazon SES for sending email, etc. I imagine the things you mentioned do go overlooked by some when fighting off an attack, though.

What I would do is, just order a fresh new ip and point cloud flare to it. it is very difficult to find it and even the domain tools history will never know about it.

if the DDoser is really willing to invest more on attacking me, then my business shouldn't probably run on Hetzner :)

But then you can pull up another host and point to it. The original server is still DDoSed but clients can reach your website, which is what really matters.

cloudfare is awesome if all you need to serve is HTTP traffic. If you are serving something else, say, ftp or ssh or IMAP or something else? it doesn't help you much at all.

At least cloudflare will still serve your cacheable pages, right?