CF Pro and higher account will allow you to utilise CF WAF (web application firewall) which has preset rules you can use and enable additional ones for your web site which may help depending on the attack. Pro also has higher page rule and firewall rule quotas so you can configure custom rules for your particular web app’s targeted urls by the attack.
You can also enable Bot Fight Mode https://blog.cloudflare.com/cleaning-up-bad-bots/ on free plan and pro and higher
Example WAF rules for Wordpress
OWASP rule sets
Firewall events that are caught from various WAF rules
But this depends on the type of DDOS attack, layer 3/4 network layer is what CF automated protection focuses on. Application layer 7 attacks are not fully automated.
Cloudflare has no way of automatically knowing what your application is and whether it’s a legit request/traffic type for your application. You’d have to tell Cloudflare what is legit or not via CF WAF/Firewall Rules or custom CF Worker based logic. But Cloudflare isn’t useless, as there are other DDOS attacks at a network level which can be even more costly to defend against where Cloudflare helps for such attacks.
But if your real origin server’s IP address is exposed or leaked, then CF won’t be able to protect you as they can bypass CF proxy and hit your origin server directly. You can further secure your origin using CF Authenticated Origin Pull https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls and/or firewall configuration on origin server to prevent all traffic other than CF’s IP addresses https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses