No self-respecting DDoS attacker would fail to spoof the User-Agent. This is even Web Scraping 101.

Attacks these days are getting rather sophisticated, where significant amount of attacks are using javascript enabled headless browsers. (http://www.darkreading.com/attacks-breaches/ddos-attack-used...)

So what about checking for valid session cookies from before the ddos started?