Isn't DDOS mitigation an area where obscurity is the standard? I am no expert on this but it seems like most providers keep the info about how they filter traffic pretty close to the chest.
As far as I can tell (as someone in the networking field but not a DDoS or HA expert), the standard for DDoS mitigation is basically "be bigger": too many POPs/routes, too much capacity to eat packets and establish TCP connections, capacity to serve cached responses, etc. such that even a huge attack simply can't exhaust your resources. To even think about classification and filtering means that you're somehow ingesting and processing this stuff; DDoS becomes threatening exactly when you lack the capacity to do that.
Not really; no. DDOS mitigation is actually a pretty standard bag of tricks. Cloudflare describes their setup in pretty deep detail via engineering docs. Technically you might have to talk to their sales people to get them, but that's more to fill their sales pipeline than anything.
I'm by no means a networking professional, so maybe take this with a grain of salt, but no, your only two options are to handle the traffic or not. At low DDOS level you can offload certain traffic like dropping packets from certain IPs before your web layer gets to deeper inspection, but if there is enough traffic to overwhelm your layer 3 devices, you'll drop packets on the floor.
Alternatively you can usually let Akamai or similar advertise your IPs, and let them help with the load, but ultimately that's just distributing traffic to more devices so you can still check IPs against a blacklist.
Since we're talking about the availability aspect of security, there is hopefully no obscurity involved (confidentiality on the other hand is nothing but obscurity). And really, an obscurity technique like using alternate ports won't even help you much because that still hits your firewall and requires processing on each packet.
