External software/hardware. Why ? The reason is simple you want to protect your service from to much unnecessary workload, and when the checks are done by your service you are not protecting it, you're just making it worse. So DDoS attacks should be stopped before they reach your service, because when they do they eat up resources.
Of course you can employ multilevel security whereas besides firewall you do some checks by your service, but it should be additional solution not primary. Firewall sw/hw is designed to handle and block to much load, your REST service is not.