Comment by mook

Given that the whole class of operators seem somewhat shady, I imagine that sometimes they would need to fend off attacks from competition services. In that case, being on a free DDoS protection plan seems like a reasonable thing to do (from their point of view). As long as they're not initiating the DDoS via Cloudflare, I'm not sure how that would be unreasonable of CF's part, given that I assume it's all automated and nobody ever looks at what sites have signed up.

I don't like CF for their fishy SSL architecture, the increased centralization of internet traffic, and the constant captchas when using tor, but the DDoS protection part (regardless to what sort of people they're providing service for) seems fine.