Someone from china wants kill my entry bandwidth?

Just 2 IP addresses...You could easily block the IPs using iptables

iptables -I INPUT -s 122.89.45.210 -j DROP
iptables -I INPUT -s 260.210.7.62 -j DROP

EDIT

Since the IP addresses are growing, you might want to consider doing something a bit more drastic. Do you have any need to service Chinese IP addresses? If not, you could try using the following site for help blocking the entire country. Just throw the results in your .htaccess file:

http://www.blockacountry.com

Another Edit

Is there something else that's common about all of the requests? Is the user agent the same? That could easily help in blocking the attacks.

I don't know what OS you're using on your server but I would guess it's a UNIX (Debian,Ubuntu,Slackware etc) distro.
The easy way to protect yourself from DoS is by installing Fail2Ban (http://www.fail2ban.org/wiki/index.php/Main_Page). It's easy to install and use. I'm using it for SSH protection because I get loads of ssh dos attacks. The program scans log files and checks for repeating messages (i.e. failed login, many connections like in your situation).

You'll have to tune it a bit to read properly the log file of your web server. If you manage to do that you can limit the access - i.e. you can limit 50 attempts for GET requests in 1 second by 1 ip. When the threshold is reached the IP address is banned for X time. This will help you save your bandwith and not to worry if this attack will come from another address.

Hope this helps you :)


Edit 1:

I remembered there is a module for apache that could limit those things - mod_evasive. Personally I have never used it but many people refer to it as "good stuff". I found a tutorial for you that might help you - http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ Check it out and see if that could suite your needs.

What you need to do is contact your upstream provider. most will null route ddos attacks coming at you; as for the US IPs communicate to their ISP that those IPs are attacking you and they'll usually talk to the custom who is usually a bot casing your problems hence why it's coming mostly from Asian countries .

What effects is this DDoS causing?

If it's CPU usage, try switching over to something like nginx to serve your static content up.

If it's bandwidth, you can rate limit requests using something like mod_bandwidth.

One thing to keep in mind: I have seen situations like this before, they sometimes aren't attacks, but instead people using "download accelerators". These open a ton of connections to the server at once, based on the (faulty) idea that more connections = more bandwidth. To fix it, I installed nginx on port 81, and used some .htaccess rules to force the content to download via nginx only. Nginx handled the requests without breaking a sweat, and I didn't have to worry about web server reconfiguration, nor slowing down traffic for legitimate users.

iptables & ipset to the rescue!

First, make an IP Set:

ipset -N Attackers iphash
for ip in $LIST_OF_IP; do ipset -A Attackers $ip; done

Next, make rules:

iptables -t raw -I PREROUTING -m set --match-set Attackers src -j DROP

Or, if you're feeling evil:

iptables -t raw -I PREROUTING -m set --match-set Attackers src -g trap_attackers
iptables -t raw -A trap_attackers -j NOTRACK
iptables -t raw -A trap_attackers -j ACCEPT
iptables -I INPUT -m conntrack --ctstate UNTRACKED -j TARPIT

Whenever there's a new attacker, add its IP to the set:

ipset -A Attackers a.b.c.d

The above can be automated by using a combination of -m match, -m recent, and -j SET, e.g. -m match --string "GET http://url/to/offending/file" -m recent --seconds 60 --hitcount 2 -j SET --add-set Attackers src

Note: Make sure that support for raw table, ipset, and TARPIT are all compiled into your Gentoo kernel (or as modules).