This is not simple question to awnser. Servers can be attacked via DDOS in many different ways from packet attacks to a particular service being targeted such as Apache.
This command will show the ips are connecting to server and how many connections exist from each IP:
Code:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
If it's zombie bot attack you will see many thousands of connections.
Show the active connections to Apache
Code:
netstat -apn | grep :80 | wc -l
DDOS is not really something dealt with on the server level but rather the network level. I recommend CSF firewall and it's included DDOS protection, it will start blocking IP when it detects huge amounts of connections or raw traffic.
Hope this helps
