Run this command:

netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n

This is not exactly going to say YES your under attack, this code will return IP address that connected to your server and how many connection they made to your server.

By looking at the number connections you should know what are the chances of a client from that particular IP connecting to your server and require that many connections!

Above code will return results like this:

1
1 xxx.xxx.xxx.xxx
2 xxx.xxx.xxx.xxx
50 xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx = IP address

Number in the First column is the Number of connections established from that particular IP address. (NumberofConnections [SPACE] IP Address)

You will see that there is huge jump in number of connections from one or many IP’s (50 is for demonstration only how many is up to you). Many servers do not require having that many connections from a single IP. What to do next, is your choice, you could install security mods and setup firewalls to block these IP’s and so on. Do a little google search and you will find lots and lots of answers on “how to block DDoS attack?”