If you’ve already tried setting Security Level to High, the next step I’d try would be set it to “I’m Under Attack!”
To be less obtrusive, you can see if there’s a URL in particular that’s being targeted and make a Page Rule to apply the heightened security to just that part of your website.
I just did that. But for the page rule, I’m confused
If, for example, the attackers are targeting a specific path, like /, /wp-login or /admin, then I would add a Page Rule with enhanced security for just that URL path.
It seems to me that in your Crypto settings page here, you don’t have “Always Use HTTPS” enabled.
I say this because if I use http for your site, I get the DDoS protection delay, then it redirects me to HTTPS, and I get another DDoS protection delay. I could be wrong, though.