It's not easy. Basically you want to block the traffic as early as possible.
That is normally your firewalls or even earlier your ISP.
With such an attack that is usually not flexible enough as you can only block IP networks.
You can route our entire traffic to a vendor that specializes in DDoS mitigation.
They have huge bandwidth resources.
This obviously needs to be well prepared.
For some of those providers you need to be able to change BGB routes.
Those are called scrubbing centers or clean pipes providers.
They take all your traffic and filter out bad traffic, sending only "clean" traffic to your servers.
There it's a matter of creating rules of catching the attack traffic.
In the easiest case it's always the same URL that gets requested.
=> Drop repeated traffic to that single URL.
This gets more complicated when the URLs are random.
=> If an IP hits a pages that return a 404 more than X times in Y minutes, block it.
And even more complicated when the URLs are random but existing.
Then you need to detect anomaly in traffic.
You will block some of your real users if they are using infected pages that are used to DDoS you.
That's the price to pay to keep your services available to the rest of your users.