Following netstat commands will help to check different aspects of DoS attack.

To show a list IP address’s and its number of connections to port 80 of the web server

#netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

To check ESTABLISHED connections instead of all connections, and display the number of connections for each IP.

#netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

To count the number of connections each IP address makes to the server.

#netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n