Of course they are, but these botnets are actively combated by the ISPs.
The main bad traffic that I receive comes from server IP ranges all over the world and several rogue countries who think it makes sense to wage hybrid war against us. But residential IP ranges are not the majority of bad traffic.
I would even say that residential IP ranges are most of the paying customers for companies, and if you just block everything else you most likely wouldn't need to use cloudflare.
Unfortunately firewall technology is not there yet. It's quite hard to block entire countries, even harder to block any non-residential ASN. And then you can still add some open source "i am human" captcha solution before you need to use cloudflare.
The main bad traffic that I receive comes from server IP ranges all over the world and several rogue countries who think it makes sense to wage hybrid war against us. But residential IP ranges are not the majority of bad traffic.
I would even say that residential IP ranges are most of the paying customers for companies, and if you just block everything else you most likely wouldn't need to use cloudflare.
Unfortunately firewall technology is not there yet. It's quite hard to block entire countries, even harder to block any non-residential ASN. And then you can still add some open source "i am human" captcha solution before you need to use cloudflare.