The probably best advice if you are not familiar with this kind of attack would be to get a system administrator to manage those attacks for you.
If you can’t afford/don’t want to deal with that at the moment, there are plenty of resources available in the forums/documents, however, it is a bit difficult to provide further insight without knowing the details of the attack.
Was the attack globally distributed?
Does it appear in your Cloudflare logs?
Does Captcha successfully stop it?
Do you typically have Chinese visitors to your site?
All information that you can provide will help us to guide you through the best rules to stop the attack.