That's the start.. I have just been through the same **** as you.. got hundred of endless falls replies to my questions from people simply don't know what the hell they are talking about.
First of all you need the paid Cloudflare subscription, costs $200 / month, you may get rid of it later, we keep it. So you need someone very experience to BLOCK all IP's except cloudflares, of course you need to use cloudflares nameserver for this to work. If you don't know how to do it, then the guys from
https://emergencysupport.us/ are the guys that can help you set this up. You need a VPS or Dedicated server with root access in order to get this done.
Once they have done the magic, you simply enable the firewall on cloudflare and you will see the DDOS will go away. It is important to know that you need to WHITELIST SEARCH engines as a firewall rule, if you don't do that your site will lose ranking. Cloudflare will tell you stories about that they let SEO BOTS go through but that's so wrong as it could be.
Be prepared for a bill around 900 euro to get rid of this - which include cloudflare costs, assistance from the guys above and some other things you may need. If this isn't in your budget, live with it or take a job at McDonalds.
Now a days you need to protect yourself which cost money and with all the retards around on the Internet you have no chance to avoid such attacks.
Good luck.