Not if the level of incoming bandwidth exceeds the available bandwidth of the circuits involved.. you can't filter it when the link is saturated. Cloudflare uses other techniques like global distribution so aggregate bandwidth is higher than the attack bandwidth
The Netherlands has NaWas non-profit service that filters out DDOS attacks, in Q1’22 7,4 times per days with DDOS traffic up to 300Gbps. It’s a few man shop, costs of membership are low. From their FAQ https://www.nbip.nl/en/nawas/faq/ :
The NaWas infrastructure is designed as an on-demand service. After detecting an attack, the traffic is routed via BGP to the NaWas hardware and then the mitigation process starts. All traffic is then rerouted and the own connections can thus manage with less capacity and thus remain cheaper.
To connect to the NaWas, a port must be available from one of the following parties: AMS-IX, NL-IX, LINX, NET-IX, Top-IX, M-IX, V-IX or one of these cloud interconnects DCSPine, Epsilon, Megaport.
Yes, there's a few distributed DDoS protection services. For example Fastly, Akamai, GcoreLabs, and a few smaller ones. They're mostly less evil too as a bonus.
This depends on what type of attack it is. If it's volumetric, no amount of packet filtering is going to help you. If it's protocol-level attack then yes, some form of high performance WAF will be helpful if you have the filtering capacity.
Likely the attack isn't an overwhelming volumetric attack as I assume they have some fat pipes and big routers, but there's likely a bottleneck somewhere in their network.