You'd still be charged for SYN+ACK and what nots, although some providers charge for payload bytes only. If you're getting a lot of abuse, it'd make sense to drop packets with an IP firewall rather than HTTP config.
Once you're pretty well protected against 'layer 7' application based DDoS, expect to get targetted with volumetric DDoS instead. That's just sending you garbage packets until you run out of inbound bandwidth; usually by spoofing UDP requests to the world from your IP. The requirement to handle that on your own is to have more inbound bandwidth than they're targetting you with; that and enough CPU to process their stuff, but drop all udp and drop all ip fragments is easy for firewalls. If your IP is targetted for 10Gbps of abuse, and you have a 1G connection, chances are your host will null route your IP to protect its infrastructure, same deal if you attract 100Gbps of abuse on a 10G connection. Top volumetric attacks are around 2 Tbps now, but chances are you won't attract those.
And if it's a cheap VPS, your provider is going to drop you in a blink so that their other customers are not affected.
If you want to be able to withstand a DDoS, you need a WAF who can absorb the amount of bandwidth that the attacker is capable of delivering, while also being capable of filtering enough of it that your service is not overwhelmed anyway.
Also, if you have ever hosted your service directly on the public IP of your VPS, you also probably need to change it. If an attacker sees your service is suddenly behind CloudFlare, they can search sites that keep a history of domain's public IPs and will attack all of them to see if they can skirt around your WAF.
Ideally, you need to keep the IPs of your services completely private and then firewall them such that only your WAF provider can forward traffic to them.
https://blog.torproject.org/trouble-cloudflare/?ref=troyhunt...
Theres a good guide somewhere I read a few months back I’m trying to find it. In the mean time check over on r/selfhosted
https://www.reddit.com/r/selfhosted/comments/132g8un/what_da...
Based on some of your comments, it sounds like you're really asking is "Is there anything I can do to mitigate it myself?" and my answer to that is:
Not really. Once the traffic hits your host, it's hitting your host no matter what, even if you shut off the web server or firewall the port. Traffic is cheap for criminals, so they can essentially send down whatever throughput is needed for the job.