Why alot of netstat poiting to external url

Question

Our server was almost like being DDOS. When doing netstat -a , I saw something that I cannot understand (maybe due to my very limited knowledge)

    root@NC-PH-0456-19:~# netstat -a
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 *:smtp                  *:*                     LISTEN
    tcp        0      0 localhost:8891          *:*                     LISTEN
    tcp        0      0 mail.mydomain.com:https     *:*                     LISTEN
    tcp        0      0 ss.itqanserver.com:28   *:*                     LISTEN
    tcp        0      0 localhost:mysql         *:*                     LISTEN
    tcp        0      0 *:8686                  *:*                     LISTEN
    tcp        0      0 *:webmin                *:*                     LISTEN
    tcp        0      0 *:http                  *:*                     LISTEN
    tcp        0      0 mail.mydomain.com:https     172.68.118.86:34823     SYN_RECV
    tcp        0      0 mail.mydomain.com:http      162.158.242.18:25496    TIME_WAIT
    tcp        0      0 mail.mydomain.com:http      108.162.245.208:12166   TIME_WAIT
    tcp        0      0 mail.mydomain.com:https     162.158.178.208:30815   ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      162.158.78.147:34651    ESTABLISHED
    tcp        0      0 mail.mydomain.com:https     172.68.118.152:35605    ESTABLISHED 
    tcp        0      0 mail.mydomain.com:https     cf-173-245-62-195:19692 ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      162.158.241.150:24994   ESTABLISHED
    tcp        0      0 mail.mydomain.com:https     108.162.229.205:29668   ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      162.158.178.145:28105   TIME_WAIT
    tcp        0      0 mail.mydomain.com:http      103.31.5.234:34946      TIME_WAIT
    tcp        0      0 mail.mydomain.com:https     108.162.222.143:13795   ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      162.158.38.203:14939    ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      188.114.103.17:10907    ESTABLISHED
    tcp        0      0 mail.mydomain.com:http      cf-199-27-128-213:21775 TIME_WAIT
    tcp        0      0 mail.mydomain.com:http      162.158.39.201:28791    TIME_WAIT
    tcp        0      0 mail.mydomain.com:https     108.162.221.222:22277   ESTABLISHED
    .... and lot more 

mail.mydomain.com is not even related to our server, as it is configured to point to some external cloud mail server by Cloudflare. And all those Foregn Address belong to Cloudflare that we are using. For some reasons, thousand of those mail.mydomain.com took our website down for hours...

Are we under attack/hack ?

Also, we couldn't putty it, we had to ask support to disable ufw. How to tell if someone hack the firewall?