DOS Attack from local network to wan, identification and Prevention

Question

Past few days, we have been facing a possible syn flooding DOS attack. This attack happens twice a day (afternoon and at night), one random IP in our network gets active (even though the system on which the ip is assigned to is inactive/shutdown) and sends thousands of packets per second. Every time, its a new IP and on checking the systems, to which the IP's were assigned to, we find no traces of any activity, in some cases system logs showed the system was shutdown when this attack happened. Anti-Virus didn't detect much either on these systems. nmap and ping to these IP's doesnt work either, when the attack is actively happening. We found details of these attacks via web search report of our firewall, we saw IP's having sent Millions of hits within hours to some of the websites, consuming close to 100GB at a time (Note- only one IP does the attack at a particular time). Currently, we are blocking these IP's one by one after each attack, which is not feasible. which leads to the question. Answers to which, and suggestions would be greatly appreciated. How can we detect these attacks early on? How can we stop these attacks? What preventive measures can we take to make sure this doesnt occur in the future? reference image:- live dos attack packet flow