So I get this a lot… Want to figure out of if you have a DDoS going on… the best way is the apache logs. Use this code to count and sort by IP:
cut -f1 -d ” ” access_log | sort | uniq -c
Just replace access_log with your log name.
More complex you can also try :
awk ‘{!a[$1]++}END{for(i in a) if ( a[i] >10 ) print a[i],i }’