CloudFlare protection can be easily bypassed. These types of proxy services which offer decently cheap DDoS protection are fine for defending against small-time attacks, however, plenty of attackers have scripts capable of bypassing them.

You can't bypass with syn floods or udp flood. And if we are talking about size of attack in context of bandwidth, look at spamhaus and cloudflare case. That wasn't small. I admit that specialized, sophisticated attack from lets say top3 botnets would make damage and probably bypass cloudflare http protection. But if someone is making such an attack on you then probably you can afford getting prolexic.

What scripts are capable of bypassing CloudFlare/proxy services and how do they do it? Do they look for old DNS records that leak their Origin IP or something like that?

There are two ways to bypass CloudFlare and related services. 1) Most of the time, as Kephael said, websites expose their back end IPs through subdomains like ssh.domain.com or ftp.domain.com. MX records also sometimes function in the same way. There are a variety of ways to resolve a domain through CloudFlare. 2) CloudFlare bypass scripts can be bought for around $400 which manipulate the JavaScript per client when sending an attack (mainly by disabling JavaScript). This prevents the so called "challenge pages" from blocking malicious traffic, effectively slipping through CloudFlare protection. Most of these scripts work on most other providers such as Sucuri as well.

Here's how it could be done:

Spin up a hefty AWS instance and connect to every single IPv4 IP while sending a HTTP get request on successful connects with a Host matching that of the domain. There are only 4 billion IPs. Look for successful code 200's with the same headers and content as the original website. Easier said than done though.

Btw, this attack can be prevented if you run a drop-all firewall and only whitelist the IPs listed here: https://www.cloudflare.com/ips/

Frequently there will be MX records or something similar pointing directly to the server. Even error pages can potentially leak a direct, unprotected IP.

If your email is hosted on the same machine as your web server, I don't think DDoS attacks are your highest priority.