DDOS check via number of connections
A quick and usefull command for checking if a server is under DDOS is
That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
this MUST be executed in one line via SSH
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
additionally you can check the connection ports here
lsof | grep ESTABLISHED
lsof | grep LISTEN
lsof -p PID
