Right, I was hoping not to use them at a previous company that used AWS. One day we got hit by a DDOS (trying to get us to pay to stop it). Even with AWS WAF costing $0.60 per million requests, we ended up paying around $10k in WAF rules to block the attack. Yes, hundreds of thousands to millions of reqs/sec. Luckily the attacker had their entire botnet using an Accept-Language header from a specific (non-english) language, which made it an easy rule target. If it wasn't for that, I'm not sure what we would have done. Would actually love to hear what others do, I want the answer to be more than "use CloudFlare", but it's the only option I've found since then.