From my experience, what brings a site down really rarely is an *actual* DDoS. Most of the time it is organic traffic spike hitting a slow back-end.
Hence:
1. microcaching
2. my exasperation with CloudFlare calling everything a DDoS 🙄
But I digress!
We did get honest-to-Dog DDoSes, some pretty substantial. When that happened we just… swapped out *all* active fasadas.
The DDoS would happily continue against the 4 to 6 old IP addresses… While new visitors would get served from other nodes. 😸