Enable bot protection in Cloudflare as per your plan https://developers.cloudflare.com/bots/get-started/

Just an idea but maybe you could cause big loads on their servers by requesting in parallel a large amount of urls where you actively serve a gzipped massive html file that is full of links to your website.

EDIT: or building up on what user zhouyisu says above you can generate your perfect match IP blacklist by calling urls via the abusing site that automatically puts any caller into the blacklist.

I'm not sure how easy would be to serve a "zip bomb" without getting into trouble, but it would be neat

If you're on Cloudflare and they're stripping JS wouldn't a JS challenge be appropriate?

https://developers.cloudflare.com/fundamentals/get-started/c...

Pretty anti-user though

Because it requires JS? How about this then...

    a[href*= "sukuns.us.to"] {
     display:none; 
    }

Then use SRI to enforce that CSS.

Then where they're coming from should be exceedingly visible in logs (via splunk or whatever), so deny those requests.