DDoS Attacks usually do not leave traces once they top; however, in some cases servers might not recover automatically.
Usually this means the webserver crashed, server ran out of storage (this can be pretty bad), IP nullrouting/firewall misconfiguration or something around those lines.
Since you already shared the backend ip; can you share the DNS and SSL settings?
Can you share CF stats? Graphs, visitor count that occurred during the attac.
I think that your backend might have blocked CF IPs after the attack. The firewall on your server might have observed a lot of connections coming from CF and assumed it was a malicious attack, however, because it can’t parse the “real” IP addresses, the firewall assumed CF was carrying the attack.
I’d reach out to your hosting provider and ask them about what firewall they have that is causing this