How to fight off a ddos attack on the site (server)?

More than 1000 requests per second on server status
5e29c3acd1f95425887955.png
Screen of VestaCP
5e29c3d9ecf74711971974.png
The server can't cope. Tried to check the ip addresses on unnecessary countries and add them in iptable like this:
iptables-I INPUT -s 172.69.186.0/24 -j DROP
the server is a little revived, but still the brakes are terrible.
As far as I see on server status attack is on the home page.
Already blocked it with nginx, but server-status still shows over 1000 connections per second.
location = / {
 deny all;
 }

What else is this fast, easy can be done? It is possible for a fee someone will able to help. Thank you.

p. s. Fresh screenshot from VestaCP:
5e29dd6d791a6233491895.png
As you can see, the attack is growing...

p. p. s. The attack ended:
5e29f93d13a01960163056.png
April 4th 20 at 13:32
4 answers
April 4th 20 at 13:34
You can bother with fail2ban, for example, you can hide behind Cloudflare.
Fail2ban really helps. And block yourself harshly if fail2ban have noticed a port scan or authorization by ssh, the IP went to ban for 1 day. - burdette.Hackett commented on April 4th 20 at 13:37
April 4th 20 at 13:36
ip addresses from which Dolby different? If not much, you can cut for example 3 requests per second per ip

your online international or local? can be limited to only desired regions

if it is ddos it is necessary to look that for traffic, if the packets, which a priori is not interested in the server, just block them
A lot of IP addresses has already been exhausted to block them. Above wrote well what I was doing, blocked manually by checking geo. As the traffic on the main, then blocked with nginx https and http later, it took the entire load with apache. - Leopoldo commented on April 4th 20 at 13:39
@Leopoldo, would be nginx, geo could be
https://github.com/leev/ngx_http_geoip2_module
to close, and Apache don't even know

Blocking via iptables
# Select all connections with the syn flag
iptables-I INPUT 1 -p tcp --syn -j syn_flood

# Chain for all the connection with the syn flag
iptables-N syn_flood

# Blocks more than 30 requests per second from one ip address, once locked, will unlock after 2 min, provided that the requests will stop for 30 seconds
iptables-I 1 syn_flood-p tcp -m multiport --dport 80,443,7890 --syn-m hashlimit --hashlimit-above 3/second --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name REQUESTS --hashlimit-htable-expire 120000 -j DROP
# If less than 500 queries/sec and a burst is not spent, it goes back to the main chain, otherwise drop
iptables-I 2 syn_flood-m limit --limit 500/s --limit-burst 2000 -j RETURN
iptables-I 3 syn_flood-j DROP

PS. this is just for information (like me), ie mindlessly is not necessary to apply - cleora17 commented on April 4th 20 at 13:42
@cleora17, nginx, followed by apache. Now I pick nginx-module-geoip. ngx_http_geoip2_module - are there any differences? p. s. thanks for the reply ;-) - Leopoldo commented on April 4th 20 at 13:45
Not prompt, no tasks, no experience. - cleora17 commented on April 4th 20 at 13:48
April 4th 20 at 13:38
Hi, I have done protection using nginx + Lua module, but it is a more complex variant of implementation of the module testcookie without constant switching (only when attacking) and with heuristic inspections.
By the way, most DDoS defenders for big money about the same and do actually.
Also advise to use ipset for more high-speed blocking bots via one rule.
April 4th 20 at 13:40
Hello) DoS Deflate is a lightweight bash shell script designed to assist in blocking denial of service. Can try this script, maybe it will solve your problem) DoS Deflate

Find more questions by tags DebianDDoS protection