A quick and useful command for checking if a server is under DDOS:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

This will list the IPs taking the most amounts of connections to a server.

To check active connections that are open to your server, if this number is more then 800 then you might be having an attack

netstat -n | grep :80 |wc -l

To check against SYN attacks, this number should not be more then 100.

netstat -n | grep :80 | grep SYN |wc -l