First, disable search so that the rest of the site works while you fix it.
ddos through search is one of the simplest attacks.
it's all about slow queries to the database. most likely you have mysql with the innodb engine or another mysql database / engine that does not support full-text search, or it does but the index is not built.
Therefore, often a very small number of requests (4-10) is enough to put the site down.
There are several ways out:
1. Temporary measure - ban by ip or number of search queries per unit of time at the application level.
2. Checking the database, indexes and the slow queries themselves
3. Full-text search servers: sphinx, elasticsearch, solr, apache lucence, etc.

Enable search captcha.
Make it for registered users only.

If a DDoS attack has already begun, then you need to set up protection. The percentage that you will be left behind is very small, after defending the search, switch to another method of attack.
Try protection from SkyparkCDN . Test period 7 days (under attack 3 days), removal of the attack is free. Protection on L3, L4 and L7, and there is also a firewall for web applications. The cost of protection for the site from 2500 rubles.
Technical support works around the clock - write at any time.

SkyparkCDN is a beautiful wrapper, friendly attraction, motivating praise and demonstrative courtesy.
Like in textbooks on marketing and sales.
Transfer of payment information to third parties.
Luring the contacts of the final owner, under the pretext of a personal consultation, on a project with dimes and similar products.