The packets have to actually reach you in order for you to filter them out. If you have a 300Gbps incoming pipe, and you're getting 300Gbps of attack traffic, then there isn't any space left in the pipe for your legitimate traffic. It doesn't matter that your router is throwing away the packets as soon as it receives them.
Also, web servers might want to consult NTP servers now and again.
> Also, web servers might want to consult NTP servers now and again.
CloudFlare doesn't host web servers for their customers. They forward HTTP/HTTPS requests to origin servers outside of their network (or serve from their cache). I don't think the DDoS traffic actually hit any of their customers' origin servers (assuming origin server IPs are not known by the attackers). But yeah, it still means CloudFlare's incoming pipes being hit with 400Gbps of traffic before they're able to filter anything.
Also, web servers might want to consult NTP servers now and again.