There are SO many different kinds of DDOS you could be talking about.
For an ICMP ddos, (Ping flood) that's a router thing, not a gateway thing: specifically rate limiting in the router itself.
For a fully formed HTTP request flood, it comes down do what the attempt looks like... Load Balancers in HTTP mode can help you here, as they can usually do valid URL filtering too.
If the attack gets past the Load Balancer, and it just heavy random queries, the CPU in two or three 16 core hardware gateways, or 4 to 6 8 core VMware gateways should be lots to process 1 gigabit. Overall CPU consumption should be fairly minimal as long as you don't have hundreds of wildcard services There's a workaround assertion to use in a global message received policy if you do.
The strategy to handle that kind of traffic is to discard queries as quickly as possible. The gateway only processes calls that have valid URLs. Assuming the attackers found valid URLs, and are attempting to attack a specific API, there are several ways to limit attacks: Requiring and validating of credential being the most obvious and cheap one, as we heavily cache authentications. By using the customize error response, you can drop the connection directly from policy.
Customize Error Response Assertion - CA API Gateway - 9.2 - CA Technologies Documentation
Part of how we struggle with this is how many ways you can DDOS HTTP based systems. What kind of attack are you thinking about mitigating at the Gateway (as compared to Firewall or Load Balancer) layer?