the products are very resource intensive. makes sense a lot would be over on hetzner (its dirt cheap).
i am maintaining my public instance ( https://moist.catsweat.com ) on amazons stack..just seems easier to setup for scaling. too bad its triple the cost.
Hmm, getting origin servers to expose themselves this way is a clever hack. As noted, any bad actors probably already know this trick to bypass Cloudflare/whatever anti-DDOS layer.
As a fix, I guess you can either send your server's outgoing connections through a proxy/VPN or use your hosting company's firewall to block all non-Cloudflare inbound traffic.