To find out what IP is causing the DDOS, we can run the next command:
tail -n 10000 logfile.log | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | more
The top IP addresses would be the ones to block.
Another way is looking at what resources are being requested:
cut -f 2 -d '"' logfile.log | cut -f 2 -d ' ' | sort | uniq -c | sort -nr | more
It’s probably you will see that they are trying to request a specific resource know as a common attack. For example, a common attack to wordpress would be:
GET /index.php? HTTP/1.0