Yes sort of, there is a 3-way tcp handshake before any data is sent. So the initial part fails and no data is sent though. So this I think would not work as a DDOS attack. The non acknowledgement of syn packets is a problem for the attacker.
Then on the other hand the connections themselves, as they are not listening ports but an established connection the attacker needs to spoof the IP address and then go through the process of hijacking the connection.
So you really want to DDOS a system with listening port and attack the port with valid looking "invalid data (junk)". There were a few years back slow ddos attacks where apache servers for instance spawned a new thread and socket for each connection, so you just needed to keep the connection open (not close it at the http level) to create denial of service there.
For us I think the DDOS attack is unlikely to be effective outside the listening ports for bootstrapping, but these are not required to always run, as long as some do and can be found. Clients and vaults tough gather their own bootstrap caches which makes it harder as there is not a list of bootstrap nodes.
The exception though is the hard coded nodes that are basically a fallback or seed position. A brand new client/vault will use these initially. Those are a target for denial of joining, but there are many threads about this one.