My OVH dedicated server was being DDoS’d and was down for 3 hours. Then a lot of people have been saying its a script because its very hard to DDoS OVH (which it is), someone said its a custom coded method.

Then someone said bet your VAC is not activated.

How do I check?

First, note the ‘VAC secure mode is activated.’ line when the server starts.
You can use the ‘status’ command at any later point and read the output, it would say ‘insecure’ if you had VAC disabled on your server.
I’m quite sure VAC doesn’t prevent or attract DDoS, though. That’s just dumb. There’s no valid logic behind that statement.

How do I get this up?

type “status” in your srcds server console.

It’s the standard console of the dedicated server application.
If you’re hosting it remotely and not using a dedicated machine, chances are you don’t have access to it. In that case, just use the server browser (Steam or legacy one):

The shield icon on the very left means the server has VAC enabled. If it’s missing, VAC is disabled there.

Yes its secure! Now fixing this DDoS problem, maybe some more firewall rules?

You should consult your server provider about that.

Vac can’t prevent ddos/dos attacks. VAC only prevent hackers that have been messing with the dlls.