In an ideal world this should be the case but I can’t afford to do this practically and my business is a service, based on UK laws and requirements, available to UK residents only. The website is for information only and nothing is new or interesting to anybody but a few potential clients, and if theyre looking at it on holiday, theres something wrong with them! Nobody is going to reach out based on my website from abroad and if they did, I would not trust them at all. They would reach out through personal contacts or linkedin. If the bots stop spamming my site or server, I can stop limiting it.

Another option to reduce (but not eliminate) this traffic is a country limit. In cloudflare you can set a manual security rule to do this. There are self hosted options too but harder to setup. It depends what country you are and where your users are based. My website is a business one so I only allow my own country (and if on holiday I might open that country if I need to check it’s working, although usually I just use a paid vpn back to my country so no need). You can also block specific countries. So many of my blocked requests are from USA, China, Russia etc

You could be behind CGNAT - I’m not sure the best way to tell but it could be the reason.

I would also highly recommend buying a cheap domain to use - it would be the price of a coffee per year but makes life so much easier and you don’t have to depend on duckdns. You can buy through cloudflare, porkbun or many other options which you can search for a good DDNS service to update them.