https://www.cloudflare.com/

There are two and a half options:
1. Your IP address was previously used to host some popular sites whose owners forgot to change their DNS settings (unlikely, but it happens).
2. This is standard internet spam vulnerability scanners.
2.5. This is indeed a DDoS attack.
You don’t need to do anything special with the first one - just hang a stub in the web server with 403 for requests to all non-existent domains. In the second case, you need to see if this is really an attack, and in this case, at least ban by IP.

Judging by the above logs, your HTTP server believes that absolutely all-all-all requests are intended for it. However, it does not respond with a 404 error to completely foreign domain names (for example, nanqiang.vip and httpbin.org). That is, your HTTP server is configured in the "default server" mode, when a request with absolutely any domain name is considered acceptable and is processed normally (files are read, content is generated, all this load on the CPU).
You need to set Apache to one, two, three, etc. specific domain names so that Apache fully serves only them. And for all other domain names, it will instantly respond with a 404 error.
Of course, this will not get rid of such spammers, but at least the server will be configured more correctly (there will be less CPU load), and spammers will receive an instant thrashing in the form of an error.
PS It is quite possible that a proxy server used to work on your IP address (obviously on port 80). And those computers on the Internet that were configured to proxy on this IP address are still trying to use it as a proxy server. True, they are no longer able to fully navigate WEB sites through your server, but they still try (the setting has not been canceled yet). It remains to endure ... Or change the IP address. Or switch to port 443.