If Cloudflare could automatically report the attack Cloudflare would be able to auto mitigate it DDoS Protection is sadly way more complicated then simply patching stuff. It's not like ddos requests are all malformed in some ways, http ddos attacks follow all the rules, they're just not real user traffic, and that "not real " part is really hard to figure out. Some customers have websites which do a lot of API traffic and thus automated requests are the normal.
There are things you can do on your end though. There's a community guide on stopping attacks/crafting rules to stop it: https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366 There's also some options you have like Super Bot Fight mode/Bot Fight Mode which if you don't have any automated traffic are aggressive options which can be used when under attack (Security -> Bots). Sane Rate limits are a good idea too.
If you're interested in more about the actual ddos protection:
C
