MD5 hash detection is easily avoided by changing the files by one bit. But if they're using PhotoDNA that's actually quite plausible, and they have my full support (err, I mean, censorship! Slippery slope! Where's the court order?)
Keyword clusters would work just fine for flagging DDoS attack-for-hire content:
They say they are 'legal' and perform 'stress tests', and 'distributed performance analysis' or 'real world testing'.
Granted I'd never use something as shady sounding as ddos.xyz, but they are plenty of legit companies that do the exact same things.
You'd need a bunch of manual review, and even then it'd become a "we think they're shady" instead of a "they're objectively sharing known illegal content" like it is with illegal pornography or copyright content.
Cloudflare understandably doesn't want to get into the business of being a company that manually reviews the internet (in how many languages?), and boots people who don't meet its tests.
Keyword clusters would work just fine for flagging DDoS attack-for-hire content:
https://www.google.com/search?q=ddos+booter
It's extremely obvious what these sites are up to.