KimCho gave a good rundown but I feel like a few refinements are necessary.
1. Yes and no. Some start from scratch while others heavily modify existing open source server cores. But if we're talking your average 5-20 player server, it's probably straight open source with minor modifications, if any.
1b. Again yes and no. Some may incorporate aspects from repacks while others may not use them at all while others may use significantly more content straight from repacks without modification.
2. Another yes and no. It depends on the population and the person's own resources. A small server can easily be run off a consumer-grade home computer. But anyone intending on hosting 50+ people will be renting a physical dedicated server (An individual server machine) or a virtual machine (Part of a server's resources), and only because the bandwidth required for that many concurrent connections exceeds most consumer speeds.
2b. You can run WoW off any sufficient host, it's only a problem when you get caught, either the host finds out on their own (Almost always against ToS) or Blizz goes after you (Unlikely unless popular and/or making money). You can host internationally, pay for "black market" hosting, host it yourself or take your chances with commercial hosts.
3. Being DDoS'd is always a risk, but there are mitigation techniques (Note, that's mitigation, not immunity) like aggressively filtering traffic. But in the end, there's not much that can really be done. If you're actively being DDoS'd, the usual method is to just null route the address and wait it out. The fact of the matter is with stronger and stronger DDoS mitigation comes larger and larger amounts of money to pay for professional services (Read: Network resources). Besides, mitigation would be something you would do yourself if you were hosting on a home physical dedicated server.