I don't even know what a DDoS attack is so wouldn't know where to start.
Maybe an idea to check the ip addresses of all recently banned users?
A DDoS is a Distributed Denial of Service. When you access a website your computer and the server the website is stored on perform what is called a three-way-handshake, essentially:
Your PC: HI I'm on this address!
Server: Why hello thar, can you hear me?
Your PC: Yes, I can hear you!
The server is unfailingly polite and it will keep asking "Can you hear me" until it doesn't get a response for a pre-defined period of time. Off the top of my head I think the default is somewhere around 30 seconds. After your PC responds that it can hear the server, it can then ask for the webpage, or whatever it is you're looking to get.
At a basic level, a standard Denial of Service attack will rely on that mechanism, except that it doesn't respond to the server when the server asks "can you hear me". The server will keep asking over and over "can you hear me" but to no response. That takes server resources, and uses bandwidth.
Now imagine that your PC sends 100,000 "HI" messages to the server, but fakes what address it's sending from. The server has to send 100,000 "hello thar" messages back. Your PC never gets the "hello thar" messages, and if the fake address is real that other machine never sent the "HI message" so ignores it. The target server has to sit there wasting processing power and bandwidth saying "hello thar" over and over again until each process times out, so in the region of several hundred thousand messages.
In the old days it used to be possible to DoS a server using just a PC hosted on an ISDN line. The amount of requests you could send was high enough to cause problems on a target box, both from a spare system resources and also from bandwidth used in replying.
These days it takes a lot more than a single PC, plus if the attack is coming from a single PC it's easier to track, even with a fake address. Networks guys at ISPs despise DoS attacks and actively track unusual traffic patterns, working in conjunction with colleagues at other ISPs.
With a DDoS the attack is coming from many PCs, all claiming fake addresses. The PCs are usually "zombie" PCs, i.e they've been infected with some form of malware. The malware sits there waiting for instructions, usually listening to IRC channels or similar. The attacker posts a message to where the clients are listening, containing a target address and the zombies attack, resulting in millions upon millions of "HI!" messages being sent to the attacked server.
It is extremely challenging at best, and more often pretty much impossible to catch the perpetrator of such an attack if you rely purely on the technical data. Any addresses garnered from logs are liable to be completely fake, so contacting ISPs abuse services about them is pointless.
Filtering out the attack traffic is difficult to achieve as it looks exactly like any normal handshake transaction. Most anti-DoS systems, such as the ones produced by Riverhead Networks (now part of Cisco) analyse the traffic headed to the targetted server and look for unusual patterns and filter out those bits. The cost for such solutions can often be rather prohibitive, and is only useful if it has an idea of what a 'normal' traffic pattern looks like. Typically you'd want to run one for 24 hours watching a server during normal load for it to be able to filter out attack traffic effectively.
