On my home server, there are only two ports open to the internet -- one for my SSH server, and one for my VPN server. Both of those are running on nonstandard ports.
In order to DDOS me, an attacker has to find those ports, which would require a comprehensive scan (increasing the chances that they'll get blocked by my ISP or detected by my antiscan monitor) or a huge amount of luck. And even then, they'll just be able to DDOS my SSH server and VPN. That wouldn't be awesome, but wouldn't exactly be disastrous.
You can change your ports but it won't prevent "Eve" from scanning for those as you mention yourself. I think this belongs to the realm of "security through obscurity" tactics and won't be safe in the long run.
I can prevent being blocked by your ISP by adjusting the timings etc. of my scripts.
I think it's far more important to take a look at the supported key exchange algorithms etc.
You are correct. This falls into the cost/benefit calculation of security. A DDOS attack on my home network would be annoying, but not devastating, so I'm willing to accept a little vulnerability to them in exchange for other benefits.
> I can prevent being blocked by your ISP by adjusting the timings etc. of my scripts.
But that won't let you escape detection by my system's own defenses. Well, you could if you slowed down the scan enough -- but "enough" is pretty darned slow.
On my home server, there are only two ports open to the internet -- one for my SSH server, and one for my VPN server. Both of those are running on nonstandard ports.
In order to DDOS me, an attacker has to find those ports, which would require a comprehensive scan (increasing the chances that they'll get blocked by my ISP or detected by my antiscan monitor) or a huge amount of luck. And even then, they'll just be able to DDOS my SSH server and VPN. That wouldn't be awesome, but wouldn't exactly be disastrous.