They are what are called reverse VPNs.

They hide the actual server of the website, and fetch from that server whenever the user asks for content from that server. The basic idea is that if there is an actual DDOS attack, Cloudflare’s servers take the brunt of the attack. Cloudflare is big enough that it can handle a DDoS attack. This is why it has you wait 5 seconds sometimes, Cloudflare thinks you may be DDoSing so it will ask you wait a few seconds before it queries the server to not overload the server.

In some sense its an insurance policy, you handle a DDoS attack by having enough computing resources to be able to manage all the requests, most companies cannot afford such resources to defend against attacks that happen once in a blue moon, but when they all band together under a company like Cloudflare, DDoS attacks on at least one of them happen enough to justify the cost being split among all its users.