Caveats!! a human brain must be used !!!
First, get ALL your access IPs from your HTTP server
cut -d' ' -f1 /var/log/nginx/access.log | sort | uniq > /tmp/all_ips
Now we can use a docker image to have the IPtoASN API https://iptoasn.com/ running locally
docker run -itd --name my-iptoasn -p 80:53661 ilyaglow/iptoasn-webservice
You can test your own IPtoASN with
curl http://127.0.0.1/v1/as/ip/8.8.8.8
{"announced":true,"as_country_code":"US","as_description":"GOOGLE - Google LLC","as_number":15169,"first_ip":"8.8.8.0","ip":"8.8.8.8","last_ip":"8.8.8.255"}
Now just iterate to get wonderful jsons for each IP.
for i in `cat /tmp/all_ips`; do curl -s http://127.0.0.1/v1/as/ip/$i >> /tmp/ip_origin.txt ; echo "" >> /tmp/ip_origin.txt ; done
With this you can run some statistics and determine what are the IPs used with DDoS
cut -d',' -f3 /tmp/ip_origin.txt | sort | uniq -c | sort -nk1