When you are under DDOS attack, you can run this command to check the number of connections per ips:
netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
and then drop ip with lets say 300 connection:
iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP