To add for people who might not be up on the technical aspects: DDOS mitigation works only if you have absolutely enormous amounts of bandwidth and compute resources to intercept and scrub the traffic.

It’s not some magic wand someone is waving at a server and poof the DDOS disappears; it still comes into a datacenter, hits a server and is then mitigated before making it to your actual host.

So you have to invest in enough bandwidth and hardware to outscale the largest DDOS you’re expecting, which is going to be far less than what’s going to REALLY happen, and it has to be available even when nothing is going on.

It’s expensive to offer, expensive to run, and only really gets “affordable” at the scale of someone like Cloudflare or Akamai or a hyperscaler.

It’s either private, good, or cheap: pick one, maybe two.