I don't think it is risky at all.
As long as you properly forward your port, you really aren't leaving all that much open at all.
Your router has a built in firewall.
If someone ddosed your IP you could just call your ISP and request a new IP address, being more carful about who you give it out to.
If you only give it to friends there is really no risk.
What is ddosing? And how is it bad? If there is really any major security risk to hosting it locally, I don't think i'll do it.
DDOS is essentially... Think of your network as a house. It is illegal for people to enter your home, but it isn't illegal for them to knock on your door. What a DDOS does is essentially send thousands and thousands of "people" to "knock" on your door. This huge amount of traffic prevents people who you'd like to allow into your home in, because of all the congestion, and eventually your network will pretty much fail.
That is essentially the only form of attack you'd need to worry about. There is no reason to think you'd ever be attacked. The only reason would be if some guy who actually had a lot of skill got onto your minecraft server, and wanted you guys to have a bad time.
If you're sharing this among your friends, and as far as you know none of them have a secret army of bots to attack you with... then you're pretty much 100% risk free.
My network is open for lots of things, like RDP, FTP, Vent, Minecraft, all kinds of things, i leave the ports open even though i don't always have the services running. I have never had a problem.
A private server is no more immune to these things than you are, its just that when you get attacked you will have 0 control over the response and 0 say in the matter, your paid server will probably just drop you from their service and call it a day.