Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.
A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
If you set that on the firewall, you will still be receiving an extremely large amount of data travelling to your website. The fact is, there is no way for you to detect all the attacking sources at such a large scale. say,set this rule on your firewall for 10 000 attacking sources, how will you do that in minutes? Remember, you need to determine every IP that is attacking, which, fair enough, can be determined easily with some network monitoring tools, and this from a series of different IP ranges. So you set your rules, the attacker changes the proxy that the attack is generating from(given, that it is a completely controlled movement and is not run via windows viruses), leaving your rule pointless.
Keep in mind that many of the anonymous attacks are botnets being run willingly on user computers...They can just as simply say, please reboot your router to get a new dynamic IP.