There have been a couple of discussions on this in the past:
The summary is that Fly provides network-level DDoS protections in addition to how the platform is architected for security overall: Security · Fly
For app-level protections like rate limiting and bot detection then Arcjet is integrated into the Fly CLI. This gives you the ability to set rate limits with the request context e.g. changing limits depending on who the user is. Currently for JS apps only, but other SDKs in the works.