You could whitelist all of our IPs, but down the line they may change, or you may want to give access to other services and experience the same issues. Instead, I’d suggest allowing all connections to XML-RPC, and disabling the vector typically used by hackers with a plugin like this one:
https://wordpress.org/plugins/disable-xml-rpc-pingback/

That should solve most of your DDOS problems while still allowing services like Jetpack to access your site’s XML-RPC file.

If your hosting provider doesn’t want to allow all connections to Jetpack, you can use these IPs:

• All of the IPs listed at http://whois.arin.net/rest/org/AUTOM-93/nets
• 185.64.140.0/22
• 2a04:fa80::/29