Nginx

How to repel a complex DDoS attack?

Good day to all, I have encountered a very complex DDoS attack. The logs show that bots with different User Agents (hereinafter referred to as UA) are attacking. They attack all forum pages, not just the main one.
The following decisions were made:
1. Ban at the nginx level by UA. Gives you control over the situation, but does not give 100% protection. Slightly changed UA and goodbye web server. Now they use already valid UA from browsers, it's terrible. I'm blocking already clean traffic.
2. Ban iptables+ipset+tcpdump. I singled out the most active bots and banned them using the /24 mask. Doesn't save. After 1k banned, 2k come and change the strategy. They send 5-10 requests each and wait. The server cannot cope with such an onslaught of small requests in the number of 2k+ bots.
3. Ban at the nginx level - GeoIP. Didn't bring results. In general, I missed everything that should not have been missed.
I ask for help, I have no strength.
Hardware:
CPU: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz - 4 cores, I think upgraded to 10 already
RAM: 12GB
Channel: 100
Server: nginx+php-fpm