The below command will show the number of active connections open in your server. Many of the attacks typically work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
# netstat -n | grep :80 |wc -l
# netstat -n | grep :80 | grep SYN |wc -l
Then check your log for the ip address with maximum connections. The below command will show the list of hits in your access log…
# cd /var/log/httpd
# tail -n 10000 access_log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more
This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would pick it up as well.
# netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more
Then block the ip address with below command…
# route add ipaddress reject
#killall -KILL httpd
#service httpd start