If it seems lots of connections to the port 80, check which IP is particularly causing it using the command:-

netstat–alntp

netstat -tn 2>/dev/null | grep ‘:80 ‘ | awk ‘{print $5}’ |sed -e ‘s/::ffff://’ | cut -f1 -d: | sort | uniq -c | sort -rn | head

By this, you will get the list of IPs connected to your server ports. If any particular IP is causing problems, you could block the IP on your server using IP tables.
But if the connections to your server is from different IPs, then it will not be a good idea of just keep blocking IPs on your server. In this case you have to search for a domain on your server causing the server load. The steps to search the domain are given below:-

First check by ps -aux command the PID which is using more httpd processes.

Then run the strace command to track system calls made by processes

strace -fpHTTPD_PID(Replace the httpd_pid with thepidyou found above)

strace is a command to track system calls made by processes.
The more traffic a site gets, the more httpd processes access the domains’ files, the more likely you’ll see a lot of domains in the output ofstrace. From here, you will get the domain name.

We can also find out the different types of requests in the domain that’s creating load.  In order to get the domain that’s creating load on the server, use the following method.  Assume the domain name is  “domain.com” and the cPanel username is used “domain”.

You can view the request types GET/HEAD/POST from Apache access log

cd~userdomain/access-logs

Run the following command to view the types of requests that are happening the most

awk‘{print $6}’ domain.com | sort |uniq-c | sort -n

Code breakdown:

awk‘{print $6}’ example.com Use the awkcommand to print out the $6th column of data from the example.com Apache access log which is the request type.
sort |uniq -c | sort -n Sort therequests types, uniquely count them, then finally numerically sort them.

Now you could count of HEAD, POST and GET
GET which means a visitor who request a resource like an HTML page or image, HEAD which is typically a web-browser or bot checking used to see if the file requested has been updated since it was last accessed. And POST means a visitor which has filled out  the information in a form and is POSTing it into the server much like you would see from a login attempt.

View highest requested base URLs from Apache access log

catdomain.com | cut -d\” -f2 |awk‘{print $1 ” ” $2}’ | cut -d? -f1 | sort |uniq-c | sort -n

View highest requested unique URLs from Apache access log

catdomain | cut -d\” -f2 |awk‘{print $1 ” ” $2}’ | sort |uniq-c | sort -n

View response codes fromApache accesslog

Run the following command to view the most common response codes your visitors are causing.
cat domain.com |awk ‘{print $9}’ | sort |uniq -c | sort -n