About DDOS billing, you are only charged for requests before the attack is detected by our system and for any request that doesn’t classify as DDOS. You can learn more here, DDOS and Billing.
About your second question: you charged per 1M requests that go through to your application after applying all the rules (as per the image shared earlier). The pricing is dependent on the region. So, I’d request you to read more on the Usage & Pricing for Vercel WAF docs.