What are the defaults of those settings? What percentage of site owners change the defaults?

It's kind of like saying "it's your own fault you didn't de-select the "track everything I do" checkbox on our privacy page".

Which settings would those be? I'm using Cloudflare for a couple of my sites, and if I can fix this, I will. Otherwise I'll stop using Cloudflare.

In CloudFlare go to "Firewall" and then click Settings on the right.

Here you can set the Security Level and if you want to use Browser Integrity Checks among other things.

Thanks! I will look into that further.

The simplest way is just to use CloudFlare for DNS only (grey cloud button) until you're under attack.

edit: do not follow my advice

This is a horrible recommendation and will ensure that the attack can continue after activating CloudFlare. You've already exposed your origin's IPs in this circumstance.

Yikes, of course.

can't you ask your provider for a new one?

Your provider would have to nullroute the ip under attack and you'll have to wait for DNS cache expiration so your updated zone is being distributed to clients.

Short TTLs are not honoured by everyone so you'll experience some downtime.

Is there any way around that? I'd rather set it and forget it so I don't have to worry about the attack in first place.