How to avoid from being getting costed for API gateway in case of DDOS attack

If you want to set a hard limit for requests then set a quota limit https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html#api-gateway-api-usage-plans-overview

A quota limit sets the target maximum number of requests with a given API key that can be submitted within a specified time interval.

Also take a look at usage plans https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-usage-plans-with-console.html#api-gateway-usage-plan-create

Note that API Gateway includes DDOS protection https://aws.amazon.com/api-gateway/faqs/#Security_and_Authorization

API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3)