[kijin]

Cloudflare's layer-7 protection is crap, but it's still orders of magnitude more effective than anything Linode or Hetzner can pull off.

Any major cloud or datacenter can block an old-fashioned UDP flood these days, but botnets have evolved too. Now they speak TLS and HTTP/2, and can send (relatively) small amounts of traffic to select endpoints to generate a large load.

In addition to blocking layer-3 and layer-4 floods, the DDoS mitigation service needs to MITM all your layer-7 traffic in order to determine which requests are legit. Cloudflare can do this (to some extent). AWS WAF can do this. Regular hosting companies can't, unless you use their load balancer and let them manage your TLS keys for you.

[hknmtt]

why would i care about udp when i run only tcp?

[pjc50]

If I saturate your uplink with UDP, none of your TCP is going to get through. Before you have a chance to drop it at your firewall. You have to get your ISP to do that for you, and hope there isn't too much traffic for their uplink.