This is the script i used tho check our server if someone is trying to do a DDOS attack on our server. Feel free to modify. This script only checks simultaneous connections on port 80.
<?
$netstat = shell_exec(’netstat –protocol=inet -an | grep :80 | cut -c49-100′);
$netstat = explode(’|', substr(preg_replace(’/\s\s+/’, ‘|’, $netstat), 0, -1));$ips = array();
$status = array();
$combined = array();
$num_connections = count($netstat);for($i = 0; $i < count($netstat); $i++) {
if($i % 2 == 0) {
array_push($ips, substr($netstat[$i], 0, strpos($netstat[$i], ‘:’)));
} else {
array_push($status, $netstat[$i]);
}
}
unset($netstat);for($i = 0; $i < count($ips); $i++) {
if(array_key_exists(’$ips[$i]‘, $combined)) {
$combined[$ips[$i]]++;
} else {
$combined[$ips[$i]] = 1;
}
}
unset($ips);
unset($status);arsort($combined);
print “$num_connections total connections.\n———————-\n”;
print “Remote IP\t Connections\n”;foreach($combined as $key => $num) {
print $key . “\t ” . $num . “\n”;
}
die();?>
This script when run will check on how many remote IP’s are connected and how many simultaneous connections the IP has. If the IP has more than 10 simultaneous connections then you might want to check who owns that IP and you might need to temporarily block the IP if it makes your server slow to respond.
This is the output of the script when run.
1 total connections.
———————-
Remote IP Connections
I just remove the IP’s…. 
![[hackers black book]](http://raxso.net/images/hbb-ani-misuse.gif)
