Try setting your firewall to allow your IP, and remove (or block) all ports - which would block everyone else but you. If you installed CSF as previously suggested, it can support this.
Then look at your firewall logs, and your site performance. If your VPS resources aren't over-utilized and your site is still sluggish, then I'd check to see if your website files are correct. If your site performance returns to normal, then consider sharing what your're seeing in your firewall logs with your hosting provider or someone here you trust.
Most of the DDOS attacks I've experienced were done at assets in front of my site, meaning my CPU would be very low but the site was non-responsive. Usually an attack on a front-end proxy (as eva2000 suggested) or firewall. When I blocked everyone in that scenario, it didn't yield any difference, my site was still non-responsive and CPU was still low. One event happened when I was hosting with Softlayer (the original company) and in those days they had to move me to a temporary DDOS solution and left me there for 48 hours for the attack to subside. Today several hosting providers provide real-time DDOS protection, which others have suggested in this thread, and has helped me.
The one INTRUSION I experienced changed files on my site, before I was using XF, resulted in a nearly non-responsive site and high server utilization. In that scenario, it wasn't a DDOS, the attackers used a vulnerability to write files and database records. When I blocked everyone but myself, I could access my site but the server was still at high utilization, I knew to look interally. Eventually found the changed files, and the added database records, but chose to dump all files and database and restore them both from the previous day's backup - didn't trust the 12 Hour backup. The attackers used an automated script to give them an admin account, that I couldn't see in the admin interface, but could remediate after restoring the backup. The site ran clean for two years afterward, until I migrated to a new forum software platform.
I don't use Cloudflare on my XF site, but you should consider sticking with it:
- Cloudflare - I'd setup with a free version at first so that you can get it working properly, then upgrade it to paid the options suggested in this thread.
- Hosting Provider's Firewall - Open only the ports you need, allow only from your IP and Cloudflare, preferably a provider that offers DDOS Protection.
- Firewall on your VPS - Run CSF to automatically track/block bad actors and invalid useragents, allow only from your IP and Cloudflare however your hosting provider's network is setup. If one looks at the robots listed on my XF Members/Visitors page, you would see moderately-reputable agents like Google Adsense, Bing, Google, Amazon, and etc. As of this posting there are 99 bad useragents being blocked for a week from particular countries, hacked servers, hacked PCs, and other servers within my own hosting company's data center.
Hope this helps,