You can never pay them, it was mentioned here before, but as a good philosophy in general is to never pay blackmail or extortion... they'll always come back for more.  You need to upgrade your stuff.  Get an Akamai front end, a WAF tuned into typical ddos methods, and maybe some simple routines in your code to better verify normal users and not bad accounts.... but this all takes money.

Be glad the day you've been ddos'ed, it means you've arrived.  You just need to get your shit together now.  Be better, faster and stronger.


Good luck!