Linux Server under DDOS Attack

To find out what IP is causing the DDOS, we can run the next command:

tail -n 10000 logfile.log | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | more

The top IP addresses would be the ones to block.

Another way is looking at what resources are being requested:

cut -f 2 -d '"' logfile.log | cut -f 2 -d ' ' | sort | uniq -c | sort -nr | more

It’s probably you will see that they are trying to request a specific resource know as a common attack. For example, a common attack to wordpress would be:

GET /index.php? HTTP/1.0