Find ddos attack on OpenVZ container

Question

How do you figure out which OpenVZ contain is under attack from a dDoS?

I know it is an attack because the b/w and incoming traffic shot WAY up.

Can this be done with netstat? Are some attacks not going to show up on netstat like UDP if they hit a port with no service running? Is there a monitoring service I could maybe install on the host node?

Answer 1

Run tcpdump on the host machine for a while and then analyze the captured packets. The IP that shows up most frequently is likely the target of the attack.