Cloudflare max setting getting bypassed


So last week my site got its first DDOS and after that happened I set up Cloudflare but the last couple days the same area has been sending DDOS attacks to my site and it’s within a few minutes they do it again. I can’t afford the premium option for hits and I have Cloudflare on the under attack setting but there still doing this. A few days later I got a message on Discord from a user and he was saying sorry and he said he did the DDOS attack I blocked him and a few minutes ago my site got suspended and the user DMed me again. He explains what he did to cause the attacks bypassing Cloudflare…

My question I was going to ask is how can I block Trojan?

Can you tell from your web server logs if the requests are coming directly to your server from the attacker, or through Cloudflare? Have you configured your local server firewall to only allow connections from Cloudflare IP ranges, (and maybe your own test addresses) and block everything else.