How to protect myself against paid DDoS services?

Have a dedicated router or firewall to do the filtering.

The reason your CPU is being stressed is that the software firewall on your system is attempting to handle way more packets that your system can tolerate.

Having a hardware router or firewall drop packets before they hit your computer should do the trick. Of course, there IS a limit even to dedicated routers or firewalls. So it really comes down to how much resources the attacker is willing to use to DDoS you.

Besides that, there is really nothing else you can do to stop an attacker, besides coordinating with your ISP to block the incoming packets or reporting the matter to law enforcement.

In your current setup, the first thing you can do is to add rule to drop this specific traffic. I don't know firewall product you're using, so YMMV.

• rule shall be based on layer 3 - layer 4 properties, i.e. src port 1234 and dst port 80
• rule shall be placed on top of ruleset - that may help with CPU
• rule shall silently drop the traffic (not reject), for two reasons:
  • sending resets eats your bandwidth and cpu
  • sending resets confirms that your host is active and asks for more

For this particular scenario - small, managed switch with access list(s)may do a brilliant job, i.e. something like Cisco 2960-C fanless, compact series.