Depends on how big the attack is I think - inbound connection handling is not free, even if you're just rejecting
I think Ryan is referring to the usual requirement that the server's IP address is changed if switching to a CDN to avoid DDoS, since otherwise the attackers can usually just bypass the CDN by sending requests to the original IP of the server.