How to identify a DDoS attack?
First you need to perform a presence attack, to do this, look at the number of Apache processes.
Debian:
ps aux | grep apache2 | wc -l
CentOS:
ps aux | grep httpd | wc -l
If processes more than 35, probably you are attack.
Now, we need to find the website on which the attack.
Go to the directory with the access logs of the sites:
cd /var/www/httpd-logs
Pay attention to files with a larger size:
du -hs *
and analyzed for anomalies:cat big_log.access.log | awk '{print $1}' | sort | uniq -c
This command will show the number of request to a website with a unique IP.
For a more detailed investigation of the intruder, clear the log file:
echo "" > big_log.access.log
And re-analyse the log file for anomalies by performing the command:
cat big_log.access.log | awk '{print $1}' | sort | uniq -c
If you are using iptables, block the offenders:
iptables -I INPUT -s 1.1.1.1 -j DROP