anti-ddos "at the php level" - in itself - is nonsense, by definition. You can optimize the code so that it takes up less memory, less CPU time, fewer "long" database queries, etc. But it all makes sense to do it just like that, as a rule, and not in an attempt to beat off DDoS.
On the basis of the php code, you can bungled IDS , which is successfully done by some .

before submitting the page, you can put html in the cache (redis, memcached, and make up the key from the request and critical cookies), and in index.php, before everything else, check for the presence of the “increased load” flag. if the flag is set, do not load the php code, but return the page from the cache.
the flag can be a file - for example, check the load on the server using cron and create /tmp/ddos if it is increased

When DDOSing, the main task is to bend a certain service or the entire server.
Protecting against DDoS using php, in most cases, this will not bring any special advantages (well, except, for example, it will relieve the load on the DBMS). And the channel will remain clogged, the connection queue will be full, Apache will thresh with the maximum number of processes, someone will eat up the remnants of free memory ... And there it will be difficult not only for users of the service to get into the site, but also for the admin via ssh.
DDOS protection is always an integrated approach, otherwise it is not protection.

Even with a moderate DDoS, a script like
<?php
echo "123";
?>
will take up 100% of your CPU.
On the contrary, the goal of DDoS protection is to prevent spam on PHP scripts using tools such as nginx.

I agreehalf of the Runet sites fall down with a simple ab
adding regular caching to them saves a lot. I especially want to note “memcashed”,
but ddos ​​can be different, they can just “clog the channel” if the hardware copes.
but here, using nginx or iptables, you can fight on your knee ...

If your php script will first of all climb, for example, into the memcache and check how many connections per minute were from the same address as now, and if it is more than the threshold, then quickly close the connection, then in theory you can handle it with a little DoS. However, if it forms .htaccess with deny from directives according to the same criteria, it will be faster. And if nginx is also in front of Apache, then there is a chance that your site will even work.

How are you going to defend against an attack with at least 20,000 IPs? With php?
It's like using a small sapper shovel, but a cool foreign company, to protect against a "primitive" nuclear strike.

Can. Disable PHP and redirect visitors to the static version of the site.

DDoS protection is a strong word, but it is quite possible to protect yourself from all sorts of parasitic bots that can put down a not very fast site.