Pretty trivial to get a new IP address these days.

IP enumaration is also pretty trivial. I guess that what attackers might be using to "unhide" domains. Scan the net and request the required domain name?

That won't work if the origin firewall allows only CloudFlare IP ranges.

Maybe but this helps https://support.cloudflare.com/hc/en-us/articles/204899617