The fact that CSF only handles minor protection has more to do with server resources than the actual bandwidth , though bandwidth has a slight bit to do with it.
The server itself can only handle so many requests and processes before overloading. Continually flooding the server with requests is going to do precisely what CSF is there to prevent, overload it.
In the end, yes, either a 3rd party DDOS protection service, or that of your provider is going to be needed for a true DDOS.
Tom Whiting, WHMCS Guru
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
+1 - 866-546-8914 / skype - admin_139201 / twitter/facebook - @whmcsguru