Hello there.
there are several types of attacks. First of all, to begin with, you must start by knowing the principle of the Internet, including the OSI model. There are the low layers (3/4), and the high layers (notably 7). A volumetric DoS/DDoS attack more commonly affects the lower layers (3/4), if you run Wireshark there is a chance that you will see packets like DNS/NTP responses. Basically, the process is that the attacker spoofs packets to recursive servers, and sends less data than you receive on your target server. Hence the name "DNS amplification" or "NTP amplification".
There are other types of amplifications, a little more violent (we can cite memcached which, it seems to me, generated an attack exceeding Tbps)
Attacks on layer 7 (application layer) are a little simpler to manage. For example, HTTP uses this layer. Generally if your site receives an HTTP flood (in concrete terms you receive a large number of HTTP requests), you must impose a rate limit, and possibly ban the IPs which are too heavy on the server. To do this, simply associate iptables with your application. If it's on a web application, you can add www-data as sudoers and put code like shell_exec("sudo iptables -A INPUT -s xx.xx.xx.xx -j DROP"). For my part, I have been practicing this way for a long time, in fact by the time the attack is automatically completely filtered the site is slow or inaccessible, but after a few minutes it is over.
Wordpress were once quite stupid to implement XMLRPC pingbacks natively and enabled by default, because it allowed attackers to launch some pretty violent attacks.