Long story short, you can’t “just” filter connections and block all the bad while letting all the good pass. Blocking requests is easy, but being able to reliably distinguish legitimate visitors and attack traffic is both complicated and costly.
If it was easy, don’t you think you wouldn’t need Cloudflare’s “I’m under attack”, i.e. “block everyone and everything until they can complete a CAPTCHA” to contain the traffic? Cloudflare is a much bigger company which is specialized in blocking attacks. And if a company like Cloudflare can’t do it, why would you expect that we could?
Also, this: