You make a contract with a company that does layer 3 ddos protection, you advertise a route including their AS on a subset of your prefixes and they route to you over a GRE tunnel.
With these services the forwarding happens at a lower level. The traffic doesn't come from them - the source address is whoever actually sent the traffic. And the destination address is you, but the Internet thinks they are hosting you. They can't just forward the same packets to you because they'd just go back to the DDoS provider because that's where "you" "are". So they put the packets inside other packets and send them to you on a different address.
I suppose they could rewrite the destination to be your real address, and then send them to you without extra layers; you wouldn't get to know what the original destination address was; maybe if you only have one, it doesn't matter.
