You could tell the protection was in place because when you went to its website, you would see a 5-second delay while the software determined if you were a real browser or an automated bot such as that DDoS software uses.
My guess was that it is not legal for a US company to perform services for a US-designated terrorist group.
As has happened a number of times recently, the EoZ readers came through. They tweeted to Cloudflare asking why they supported a terror group, and others contacted CloudFlare support directly and received a disingenuous response about their view of censorship.
(CloudFlare Support) Nov 22 10:30 am (PST) We understand if you disapprove of a given site, but please review our stance on censorship --> http://blog.cloudflare.com/58611873 We cooperate with law enforcement, and will continue to do so if they contact us about a given site. Thanks for reaching out.
Of course, this isn't a censorship issue - I am not demanding that Hamas' terror wing not be allowed on the Internet. This is a question about US law, period, and whether it is legal for a US company to protect a terrorist website. (The rationale given in their link that protecting bad guys from DDoS attacks helps them more effectively protect the good guys is also disingenuous - by that logic, international corporate security firms like G4S should be allowed to work for terrorist groups as well.)
Other EoZ readers contacted the FBI and the Secret Service, asking about CloudFlare's service for Hamas.
Today, it appears that the CloudFlare DDoS protection is no longer in front of the Hamas website.
Congrats to my readers for making a difference!