Cloudflare is the only company that provides DDOS protection services for small websites while everything else is inferior as well as hyperinflated due to being targeted at major companies.
We need a company to provide DDOS protection services that will serve us and only us while being content neutral in terms of profiction site policies.
There's an economy of scale here that's just not viable to replicate independently. Also there are suspicions that cloudflare is funded by intelligence agencies since the accounts don't quite add up and all the traffic they are proxying could easily be spied upon - it's an endrun around normal https.
The DDoS problem is a design flaw in the internet. If you want to combat it in a decentralized way, you'd have to start by designing new routing protocols with filtering on the exit traffic. So say I'm getting spammed from a server in Bangladesh, instead of filtering it on my end, I would ask their Bangladeshi ISP to filter it. You'd have to cover all the situations of spoofed requests and non-compliance and it'd be a whole research project just to work out the logic, let alone implement it.
The design flaw is not the internet, it's the server.
If you have 100 nodes with an IPFS file then they'd have to DDoS 100 networks, some of which may be universities or other places with huge bandwidth. If IPFS were to more often cache slowly downloaded files then the resources would 'route away' from any network attack.
You want to lock up the data/code behind a server, then you have a ddos problem.
What's needed is a reason for people to host their own data. Built it and caches that protect from ddos will appear.