You can never pay them, it was mentioned here before, but as a good philosophy in general is to never pay blackmail or extortion... they'll always come back for more. You need to upgrade your stuff. Get an Akamai front end, a WAF tuned into typical ddos methods, and maybe some simple routines in your code to better verify normal users and not bad accounts.... but this all takes money.
Be glad the day you've been ddos'ed, it means you've arrived. You just need to get your shit together now. Be better, faster and stronger.
Good luck!
worth reposting
I think what people don't seem to understand is that if you give these individuals money then you support DDoS attacks on fellow businesses, I would rather have the website unresponsive than pay, it's quite comforting to know these individuals wouldn't make a cent for their efforts.
Wish everyone was like that, then we wouldn't have this problem.