It’s difficult to fix and not without changes in the code. Most solutions involve fixing those heavy SQL. Tuning them, caching them in redis or memcached or refactor the whole process from scratch.
Thinking on the DDoS part, implement short circuits so reaching those queries must follow a session pattern. It doesn’t stop it but you force those script kiddies to make real connections. If they are anonymous then all the heavy queries should be cached due to lack of custom vars. If not, it’s a matter of identifying users and banning them automatically.
This, I used an old board and it didn’t work until I replaced the (button) battery . After that, you can troubleshoot the board adding components one by one and listening to the beeps. There’s a code. Left the GPU as last element and use the integrated one always until all is working. If a external GPU doesn’t work, it could be not enough power. If memory fails, beeps again, try to find a working one and go from there…