[AntonyGarand]

How would you differentiate the good and bad DDoS services?

There is a use case for buying them for testing purposes to apply on yourself, so it's not as cut-and-dry as you would expect.

[handoflixue]

Given the resources required, I'd expect a good DDOS service probably has a reputation in the industry, plausibly some sort of certifications, etc. - selling an easily mis-used service requires a lot of protections

Conversely, this site proudly advertises that it has zero "Know Your Customer" restrictions, bypasses Cloudflare protections, etc.

Quoting the site directly: "Some popular use cases are taking down competitor websites, creating unfair advantages in games and personal agendas."

Even their CYA disclaimers are flimsy: "We simply ask to only use our tools on infrastructure that you own or are permitted to attack."

Not "Require", "ask".

[AntonyGarand]

And that's diligence that Cloudflare would need to enforce on every single site they have?

This one is fairly obviously bad, but some will be more ambiguous, and I wouldn't expect Cloudflare to be the one policing them all.