I've just had to fight a DDoS on a server, and I used a bash one-liner to have a very rough overview of the picture from the logs.
Once you know you've got a DDoS on your back, here's a quick reminder of how to count, in the last 1000 requests (number is arbitrary, but provides an interesting view when there are many requests), which IPs are doing the most requests:
tail -n 1000 /var/log/apache2/other_vhosts_access.log | awk '{print $2}' | cut -d: -f1 | sort | uniq -c | sort -n
You can then see who's causing the trouble and DROP those IPs with iptables. Of course, make sure that the requests they are doing seem to be illegitimate first.
The above command is tailored for apache, on a debian squeeze server with all vhosts using the default "other_vhosts_access.log" file, with the vhost name at the begining of each line. But you can adapt it to parse nginx logs, too. You only have to have awk print out each IP address from the right field.