I do not recommend to use Windows to host a server/application, it's not designed for that.
Anyway, first you have to check the source of those attacks. The most common reasons are a server glitch, L4 (network DDoS) or L7 (application DDoS).
Since you are hosting over OVH, it has a good L4 protection, so, check the number of site access that you are receiving in XAMPP logs.
Did you block direct IP access to your site? If not you should only allow access from CloudFlare IP blocks to ports 80/443.
But, even CloudFlare can be bypassed with residential proxies and overload your XAMPP application causing a stress in your network/machine.
When attack starts, first monitor your CloudFlare firewall and check the number of access. If you don't see anything in CloudFlare, check your XAMPP logs and find the number of access to your HTTP server.
In parallel, start monitoring bandwidth in OVH panel, and machine resources to check which application is consuming the most resources.
If you see TFS stressed, this could be a glitch in your server. TFS works in a single main thread, and if this thread is running an expensive function, the continuation of proccess will be paused until it finishes.
If you see a high number of access through CloudFlare, a L7 attack that is not beeing blocked by CloudFlare.
If you see a high number of access in XAMPP only, a L7 attack direct to your IP in HTTP ports.
If you see a high number of incoming bandwidth, a L4 attack that should be mitigated by OVH automatically, or after a simple DDoS rules setup.