I don't believe fail2ban would be very helpful in this case.
Fail2ban operates by blocking connections that have had multiple failed connections from a particular ip address. This isn't true during a DDOS.
You'll need to decide to filter with the firewall or the webserver itself. The firewall (iptables) is good for heavy handed stuff but the webserver can generally do more delicate filtering (like checking for referral types)
For iptables, using something like the length limit may be good for empty requests, conntrack may be good for ensuring connections have actually been established. Make sure to log and check these before implementing instead of just dropping them since you will discover mysterious issues.
https://www.frozentux.net/documents/iptables-tutorial/
Conntrack Length match
Make sure to not lock yourself out by having some external method of logging in / automatic disabling of firewall.
How to prevent myself from locking out of iptables
I don't know the webserver you're using, but nginx has some good tools for filtering connections
https://www.cyberciti.biz/tips/linux...-security.html
Code:
## Deny certain Referers ###
if ( $http_referer ~* (babes|girl) )
{
# return 404;
return 403;
}
##
Finally, if you're hosting with a provider, contact them. Part of their job is often to handle DDOS attacks on your behalf.