In a day, I added 20 thousand / 24 DROP rules to iptables

Tin is cruel.
Make ONE drop rule. And ipset in which drive your tens of thousands of addresses.
It will work much faster.
But in general, as mentioned above, this is not a solution to the problem of a serious DDoS: if a channel is blocked for you, then do not process the channel as traffic on the host will not release it.

udp flood. The most common and simple. They come to your ip ... well, let's say 10 Mbps streams from several thousand sources. Even if you list all these sources in your firewall, optimize it through ipset - this will not work. This traffic will still come to your port, drop on your firewall, but the channel will remain clogged. The solution is to contact companies that provide ddos ​​protection.
If you are bombarded with constant requests to your site via http, then you can use a firewall here. But I recommend using ipset to organize lists of blocked addresses. 20k firewall rules is a lot.

Usually, ddos ​​are done from public proxies, and often not Russian ones. Try to put the rules on request. For example, more than 3 requests per second, ip ban for 5 minutes. A lot of control panels allow you to set such rules.

The correct way is to outsource this protection, because with a more or less serious DDoS and 64 processors will not help.
From free simple solutions - https://www.cloudflare.com .

As already answered by Vitaly Karasik, it will be easiest to stand behind cloudflare.
In 2022, fighting dodos through iptables is at least strange.
The main task when protecting in this way is not to burn the ip address of the server on which your sites are spinning. As a rule, cloud providers have a firewall function right in the server control panel. There you need to register cloudflare address ranges (or other protection that you use). In another case, you can configure the firewall directly on vds, or specify the necessary ranges in the web server config.
Accordingly, after you stand up for protection, you will need to change the current ip address of the server. This, if the hoster allows, can be done in the server control panel, or through those support. In extreme cases, you will have to make a complete copy of the server and run it (most likely the ip address will change), and the previous server will need to be deleted.
If you do not burn the real ip address of the server - attacks of L3, L4 levels will not be able to harm your server. L7 level attacks are not filtered very well by cloudflare. Here you will have to set the maximum level of protection in the cloudflare panel and, possibly, put some script on vds, which will enter all suspicious ip addresses into the cloudflare request filtering rules. You may have to upgrade to a paid protection plan.
In any case, changing the ip address of vds and substituting the site for the free cloudflare tariff is better than nothing.

I could not resist)

Protection from DDOS, I unfortunately heard a little from the other side. There is a "DDoS blackhole routing/filtering" technology. But in my case, the provider used it to protect itself from DDOS coming from the client. Yes, this is such a small provider that, say, Cogent or RETN could install it.