When it comes to DDoS, load balancing would be the best means to potentially mitigate or absorb the attack by means of distributing traffic over numerous servers (on your end, beyond CF). With a load balanced setup, the worst-case would be that the IP of the LB is exposed as internally, the LB should be routing traffic over private network IP’s that aren’t public, thus reducing exposure.
The public IP’s of the endpoints would then be access limited to only specific IP’s or IP ranges.
Much of what goes in to preventing a DDoS attack depends on you and how you have things setup as much as it does who you’re working with in an effort to prevent and mitigate the attack.
CloudFlare provides a much needed service, though it’s not a all-in-one solution. You can sign up for CloudFlare and run a poorly configured stack and downtime can still result in seconds after an attack begins. CloudFlare isn’t a magical mask by far, but it can be helpful.
That being said, I’m sure you’ve heard the saying give someone an inch and they’ll take a mile – it applies to DDoS. Give someone means to launch a successful attack on you at any given moment and they will. Whether it succeeds depends on how prepare you at for it. I’ve seem many providers and servers handle decent sized various-vector attacks with ease, while others suffer.
Attacks could come in various forms – NTP, UDP, DNS, TCP SYN+FIN+ACK, HTTP GET, etc. – it’s hard to prevent every single possible scenario, or predict which one someone is going to target. This falls back to where CloudFlare can help, but may not be able to prevent the entire effect.
As @hansen said, and it’s very true, You will always have some attack surface if you have something on the internet.