We are creating a website not aimed at broad audience at all, more like a service site for improving coordination with contractors.

Then, one morning, we receive a happy email from fastvps saying that our site is currently being ddosed, "the attack was over 900 thousand packets per second" and the server is crashing.

The big question is: what could causing this? Where did it come from? Nobody actually knows about the site yet, its still UNDER DEVELOPMENT, and it only has a login page with no text. There aren't any enemies, and I don't think there are competitors for the simple login form.

Is it possible that someone else has faced this issue?

Even if your website is not publicized, it may still be indexed by search engines or discovered through shared hosting environments. Some DDoS attackers use automated scripts that scan for active IP addresses, even those hosting sites that are not fully launched or have minimal content. If your server has an open access or is on a shared hosting platform, it might be an easy target for these attackers.

Your server's IP address might be known or associated with other sites that have faced similar attacks. If you are on a VPS or shared host, the malicious requests could actually be targeting another site on the same server, but overwhelming all resources on that server in the process.
It is not uncommon for insignificant or new websites to face random attacks just for the sake of it. DDoS attacks can be a test of capabilities for attackers, so they might target sites without any reason other than to demonstrate their power or to test their bots.

I would recommaned you to consult with your hosting provider for assistance in mitigating the attack. They usually have tools at their disposal to help filter out malicious traffic. It may also be worth considering implementing a web application firewall, which can help prevent such attacks in the future.

Make sure to stay vigilant and monitor your server logs for any suspicious activity. Being proactive about security is the best way to cope with unexpected threats like these.

I ended my relationship with my hosting company six months ago due to similar issues (previously, I had been their customer for 6 years without facing any trouble). The same issue kept popping up - a massive influx of packets, and no one had a clue where they were coming from. My IP was permanently blocked by the router, making it impossible to access the server. Every time they unblocked it, I was hit with another wave of "DDoS" attacks, hundreds of terabytes flooding my IP, as if the whole internet had turned against me. There was no communication from them, no guidelines, nothing—just a frustratingly complete blockade of my server. I was fed up and decided to migrate my websites elsewhere, and now everything runs smoothly without any DDoS disturbances.

While chatting with tech support, it became painfully clear they didn't really care about a long-term client who had been paying them a hefty sum for years. Perhaps they are being cornered to eliminate competition in the market. Initially, I was taken aback by this, but now, honestly, it doesn't bother me at all. Sometimes it's for the better when you make a change, especially in the world where digital reliability is so critical.

Using iptables along with ipset is a very smart way to protect your systems.

I've had my own struggles with DDoS attacks too, not just a rumor.

To minimize the risk, it's wise to completely block traffic from certain nations:

China

Japan

Korea

Iran

Iraq

USA

Taiwan

Thailand

Brazil

India

Indonesia

You should aim to shut down the biggest Autonomous Systems from these countries, this could reduce the DDoS incidents you experience.

And if you're worried about your site being not known, don't fret about that. Once you launch it online, it's basically visible to everyone. Especially those who are probing websites and trying to hack in multiple times a second. Lots of these are actually bots powered by compromised computers. So, the best move you can make is to set up the iptables and ipset configuration as your defense barrier.