Krebs won't use Cloudflare because Cloudflare protect DDOS-for-hire sites from each other. He thinks, before CF offered this protection, the DDOS-for-hire services would take one another offline; and that it's an ethical problem, for CF to be protecting the very people whose criminal acts create (some of) the demand for their services.
Cloudflare, in their defence, say they don't censor/check/approve sites and that's a good thing - after all, sites like wikileaks should be allowed protection.
I'm all for free speech, but protecting sites that commit criminal activities is not a "good thing". In fact, they should be partly liable for the damage if they were aware of it and did nothing to stop it.
1) Put the site behind CloudFlare.
2) Wait for an attack...
3) Force all users to go through a capcha before accessing the site.
Note: The capcha setting can be enabled with 3 clicks in cloudflare UI and it takes 2-5 minutes to propagate. (Yes, I speak from experience)