Sometimes DDoS is 'layer 7', running you out of CPU etc on requests that are easy to make and hard to service. Try to avoid that?
Otherwise, DDoS is usually volumetric: send you more packets than will fit on your network interface. The only prevention is larger interfaces, but 1Gbps of DDoS was readily available when I was dealing with it in 2018ish and it was pretty clear that people were using the site I ran as a test target for DDoS as a service (always exactly 90 seconds of junk traffic on our www, very rarely a real service host, etc). There was a recent crackdown on DDoS as a service, but I'd be surprised if 10Gbps isn't easily available now.
D/DOS protections mostly have to happen before the network packet reaches the OS. Handling the incoming data request requires enough OS resources to be used for DOS. There are some things you can do application wise, such as avoiding reflection and amplification attacks. https://blog.cloudflare.com/reflections-on-reflections/
Nothing, if your self hosting in your home. Volumetric floods will saturate your ISP link.
If you’re hosting with a provider, your maximum factor will be how much your provider will “tank” for you.
Otherwise harden your ports, drop anything via IPTables, turn on NOTRACK. Better but more advanced would be to use tc (traffic control) to drop bad packets before they enter the net filter lifecycle
Well you just have to find a way to eat the traffic without using up too many resources. Rate-limit by IP, drop certain types of packets, cache aggressively, respond to 400 errors with empty response, timeout long-running requests etc.
Depends what you are protecting. A website or http traffic? Stick it behind cloudflare. Services on other ports or protocols like TCP or UDP? You could rent a cheap VPS at a provider that DOES have inline protection and use that instance to reroute traffic to your own server via a GRE tunnel.
Otherwise, DDoS is usually volumetric: send you more packets than will fit on your network interface. The only prevention is larger interfaces, but 1Gbps of DDoS was readily available when I was dealing with it in 2018ish and it was pretty clear that people were using the site I ran as a test target for DDoS as a service (always exactly 90 seconds of junk traffic on our www, very rarely a real service host, etc). There was a recent crackdown on DDoS as a service, but I'd be surprised if 10Gbps isn't easily available now.