In principle, it is impossible to protect yourself from DDoS. There were cases when a bot attack simply brought down the main channel along with the whole country, in which the equipment of the DDoS protection service was located, trying to cover the attacked client. It is possible to protect only DoS'a of a certain level. And here the question arises of the professionalism of your admins, who will quickly find effective solutions at the time of each individual attack, and your willingness to invest in equipment that can cope with the loads. As experience shows, it is cheaper to rent this service from specialized services.

You still can't do without a higher provider.
Let me explain why: let's say your smart DDoS firewall detected it, killed the left traffic, and it did not reach the servers.
But the channel is still packed from the other side!
We need some way to tell the provider "Don't let these people come to me, cut right at your place!"
As an option for automating this, I suggest looking towards BGP Flowspec.
Given that BGP Flowspec can also be raised between telecom operators, it becomes possible to stifle DoS at inter-operator junctions, or even right at the source.

fight off small ddos ​​on your own without buying expensive software and hardware or renting other services.

https://www.cloudflare.com/ - this will be enough to get started

How to protect your servers from elementary ddos ​​attacks via tcp/udp?

See how intense they are. If the attack is on a channel or on a protocol, then OS network filters will not help.

Are there any free solutions to protect with your own funds without the involvement of third parties?

There was some tool in the last release of FreeBSD to deal with this scourge. Only this method cannot be called especially free: you need to buy additional servers, configure the software, and support it.

How to protect against ddos ​​over tcp/udp?

There is Cloudflare with interesting offers and the most distributed filtering system.

The easiest thing is to change the address. And communicate this address to customers. It is not certain that the attacking system learns the address from the same source as the clients.

qrator and similar services

In addition to changing the address and working with the operator, you can set up an attack detection and port scanning system (snrot, psad, ...) on your server in order to update the firewall rules according to the system - this will allow your server to last longer, and you to detect in time attack and do something (for example, change the address).