DDOS-for-hire websites are naturally unstable - if not for the protection CloudFlare provides, they would all knock one another offline and there would be no DDOS-for-hire websites (or only a single, expensive winner).
Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.
The DDOS-for-hire company doesn't need a significant or even continuous web presence, does it? Seems ineffective to DDOS them.
EDIT Surely many of these DDOS-for-hire companies cross into illegal territory. CF can maintain a content-neutral stance by kicking illegal activity off.
The DDoS-for-hire being discussed here are called booters. Access to them can be bought for a few dollars (~$10), and then one is able to log into the site and click a button to attack someone for a few minutes (the exact time depending on the booter itself and sometimes how much you pay).
Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.