How can I tell if Apache is experiencing a DDoS attack?

Question

How can I tell if Apache is experiencing a DDoS (Distributed Denial-of-Service) attack?

Answer

If Apache is experiencing a DDoS attack, you may notice that websites on the server are timing out, and errors like the following appear in the Apache error log.

[Wed Aug 05 21:33:21.543968 2020] [mpm_prefork:error] [pid 10431] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
[Wed Aug 05 21:45:29.942556 2020] [mpm_prefork:error] [pid 13260] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
[Wed Aug 05 21:50:16.215967 2020] [mpm_prefork:error] [pid 14414] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

You can verify is Apache is experiencing a DDoS attack with this command, which shows the top 10 IP addresses from which Apache is receiving connections:

netstat -an | egrep ":80|:443" | egrep '^tcp' | grep -v LISTEN | awk '{print $5}' | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' | sed 's/^\(.*:\)\?\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\2/' | sort | uniq -c | sort -nr | sed 's/::ffff://' | head

Alternatively, if the elinks package is installed, you can run the following command to get the number of requests from each client, the client's IP address, the requested domain, and the request type (e.g., GET, POST, etc.).

apachectl fullstatus|awk '!/^\s+|^$/{print $12, $14, $15}'|sort |uniq -c|sort -rn|column -t

If you notice a large number of connections from an unrecognized IP address or range, Apache is likely experiencing a DDoS attack.

Additional resources

What should I do if my server is experiencing DDoS?