Yes one way is via user agent rate limiting and/or blocking - not entirely accurate as these bots can change their user agents but it’s a start.
For my Centmin Mod Nginx LEMP users i have a rate limit and/or bad bot blocking setup outlined at https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/ which allows you to either whitelist a user agent, or rate limit it or block it at Nginx level. I had another script I wrote to pass on those user agents ips to my CSF Firewall for firewall level blocking too. You can also script it to pass the ips to Cloudflare end via API.
Worked well as my Linode VPS was handling the DDOS layer 7 attack easily but Linode saw the increased network traffic as not acceptable so they null routed the VPS despite my VPS smoothly sailing through the attack with my user agent based blocking at nginx level https://community.centminmod.com/threads/forum-ddos-attacked-linode-null-routed.7045/. That’s the issue with doing DDOS layer 7 based protection yourself, your server might be able to handle the load but whether it’s acceptable by the web host in doing so is another matter all together. So I had to come up with my own solution which is set a DDOS protected IP VPS server to setup a GRE tunnel so all traffic to my Linode origin flow through my DDOS protected IP VPS server (500Gbps protection) + have Sucuri Cloudproxy on frontend for Layer 7 DDOS protection and Amazon SES for emails. DDOS protected IP VPS GRE tunnel + Sucuri adds an extra US$32/month to my costs.
Been thinking about Cloudflare Tips for migrating DNS from AWS Route53 to Cloudflare? but for full DDOS protection you’d have to bump up to Business plan at $200/month. Probably the next level.
One of my Centmin Mod users also wrote a guide for using Nginx lua, Redis server, fail2ban to rate limit and ban requests that would work behind Cloudflare https://community.centminmod.com/threads/how-to-limit-requests-and-ban-those-hitting-the-limit.7185/. Nginx would need to have Lua Nginx module support which my Centmin Mod Nginx server has optional support for and you’d need to install Redis server. Haven’t used it myself though. Again, while you may get your server to a certain extent to cope with a DDOS attack, whether the web host finds it acceptable is another matter altogether!
Maybe other folks have tips as well