DDoS mitigation services can be very costly depending on scale and circumstance. Why then go through the trouble and expense of employing these services if it is not going to be used to its full potential? Listen to the recommendations of the people in the industry who stake their reputation on protecting you. Stop being lazy and whitelist nothing but the CBSP's IPs. It is naive to think a motivated knowledgeable attacker will not find out what your origin is. Talk to anyone in the space and odds are they have at least one example of this kind of oversight being taken advantage of. A paper was recently published by The Department of Computer Science at Stony Brook University on the topic
here. As can be seen by reading the paper, it is easy for anyone with the knowledge of certain tools existence, to determine the origin completely bypassing any benefit of DDoS mitigation services. Hopefully this serves to educate and protect.
