This command will show all connections (including IP address) to port 80. You are able to change this port if your web server does not run on this by changing the |grep :80| section in the command below
Show static view of connections to port 80:

 netstat -punt | grep ':80.*ESTAB' | awk '{ print $5}' | cut -d':' -f4 | sort | uniq -c | sort -rn | while read i; do echo -n "$i "; curl -s http://ip-api.com/csv/$(echo "$i" | awk '{ print $2 }') | cut -d',' -f2; sleep 1; done

Example output:

6 x.x.x.x "United States"
5 x.x.x.x Ireland
2 x.x.x.x "United Kingdom"
2 x.x.x.x "South Africa"
2 x.x.x.x China
1 x.x.x.x "United Kingdom"
1 x.x.x.x "Czech Republic"

Second Best command:

netstat -nap | awk '$4~/:80$/{print$5}' | awk -F: '{print$(NF-1)}' | sort | uniq -c | sort -nr | head -20

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

netstat -ant | egrep ":80|:443" | egrep "ESTABLISHED|SYN_RECV" | awk '{ print $5 }' | sed -e 's/\:\:ffff\://g' | awk -F: '{print $1}' | sort | uniq -c | sort -nr |awk '{print $1 " "$2}'

Show a live view of current connections

while x=0; do clear;date;echo "";echo "  [Count] | [IP ADDR]";echo "-------------------";netstat -np|grep :80|grep -v LISTEN|awk '{print $5}'|cut -d: -f1|uniq -c; sleep 5;done

Once you have this output you may want to toubleshoot the location. Is this a ddos? an dos?

whois x.x.x.x | grep 'country\|address'

whois x.x.x.x | egrep 'role:|address:|abuse-mailbox:'