Most sites can probably make do with ddos mitigation from their hosting provider.

Larger hosting providers may have enough bandwidth to accept and drop most inbound volumetric DDoS. Smaller providers often contract with a DDoS mitigation service; during an attack the mitigation service BGP announces the attacked range, filters out problematic traffic and forwards the rest.

It's been at least 7 years since I ran servers that routinely saw DDoS... at that time, we didn't tend to attract attacks anywhere near 10Gbps, so having 10G connections for severs likely to be targetted did most of the work. I'm sure it's worse now, so 10G might not cover easy attacks but 100G servers aren't hard to find. Attacks do get larger than 100G, but most sites won't be hit with a large attack.

For a small site, taking an outage during a DDoS is often an acceptable alternative too.