How to identify a DDoS attack?

First you need to perform a presence attack, to do this, look at the number of Apache processes.


ps aux | grep apache2 | wc -l
ps aux | grep httpd | wc -l

If processes more than 35, probably you are attack.

Now, we need to find the website on which the attack.

Go to the directory with the access logs of the sites:

cd /var/www/httpd-logs

Pay attention to files with a larger size:

du -hs *
and analyzed for anomalies:
cat big_log.access.log | awk '{print $1}' | sort | uniq -c

This command will show the number of request to a website with a unique IP.

For a more detailed investigation of the intruder, clear the log file:

echo "" > big_log.access.log

And re-analyse the log file for anomalies by performing the command:

cat big_log.access.log | awk '{print $1}' | sort | uniq -c

If you are using iptables, block the offenders:

iptables -I INPUT -s -j DROP