Hey,
Those are good recommendations for implementing general security around a website, but unfortunately they will not completely fix your problem. By getting a SSL certificate, it will create an encrypted connection between your site visitors and your website. All of those connections will remain private and the data will be encrypted. This is a good practice, but it won't stop the incoming connections coming to your server. It would be beneficial to have this for your site in the future, but it won't resolve this issue.
The cloud based CDN/firewall services could help in your situation, but so will other free plugins. You should be able to use the free version of Wordfence to block based off that URI pattern. As long as the malware is out there and machines are still infected, you will receive these same incoming connections. Are you receiving any extra bandwidth costs with these incoming connections? If you go with this option, I would ask these companies if they have ran into this situation before and if they have any recommendations. You don't want to just be blocking traffic all the time at this scale, ideally you don't want any of this traffic coming to your site.
This is a really unique problem and unfortunately I don't see the how you can resolve the issue without changing your domain name. With the constant incoming connections from over 400 machines and the negative reputation on the Internet with this domain, I would recommend a new domain. You could slowly migrate traffic over to the new domain then eventually shut this domain off.