I guess I have to ask, since I'm curious: I'm going to guess a big chunk of your miners come from the same IPs, right? So, like, I'm sending you ~20GH/s from IP X.X.X.X. And BobTheMonkey is sending you 20GH/s from X.X.X.X, day in, day out. The log has to show that same traffic pretty constantly.
I have no idea what is required to prevent a DDOS, and I'm not about to claim I do. But in a fairly "small" operation like this (and, realistically, it is pretty small; you're looking at, what, ~550 or so clients connected?), couldn't you just whitelist all the "known" (or at least, say, the "big" known) IP addresses, and block everything else?
I'm assuming of course that only the pool.abcpool.co address is needed to allow mining, and the DDOS attack isn't screwing up something else on the back end.
I'm sure, 100% guaranteed, that my logic is wrong somewhere, but in a purely binary world, I assumed you could just block all traffic to that address except your "known" good miners (such as me, the most attractive member in the world).
You could do that if you didn't want any new users. It would buy you time while you determine how to stop the DDOS. Once you have a capture of the malicious traffic you can craft your policies to stop it.
That would only work if you're at an ISP that will allow you to add a whitelist at their perimeter. If the DDoSer has enough zombies, they will still take you offline because they can flood the switches in front of your server before a whitelist takes effect.
The largest attacks back in July were over 10 gigabits of traffic. There are very few datacenters that can absorb that when its all headed towards a single internal IP, and even fewer datacenters that will actually allow that kind of traffic to come in without just blackholing you temporarily.