If you connected recently, then not everyone had time to update their DNS records. If an attacker knows your IP behind Cloudflare, he can suffocate you directly in any case, therefore, if you put Cloudflare in front of you for DDoS protection, it is recommended to change the IP of your server to one that the attacker knows nothing about. Well, additionally - deny access to the web server directly, allow only from Cloudflare IP addresses.
And finally, configure nginx so that it trusts Cloudflare and substitutes an IP address in remote_addr: nginx.org/ru/docs/http/ngx_http_realip_module.html

Q: How do they get to the site? Isn't all traffic routed through cloudflare?

Have you chosen to protect the site's domain name or a range of network addresses?
The network address to which the domain from the Cloudflare address pool is bound?
Cloudflare engineers seem to give a recommendation to block access from third-party addresses to your ip, except for their subnet. Has this recommendation been implemented?