There was something similar. There was no time to understand - a knee crutch
IT was invented in crowns for every 5 minutes.
#!/bin/sh
tcpdump -c 20000 -n -i en0 dst host HOST and dst port 80> /var/tcpdump.log
cat /var/tcpdump.log | cut -d' ' -f3 | cut-d'.' -f1,2,3,4 | sort | uniq -c | sort -r -n > /var/block.txt
cat /var/block.txt | while read tt ip; do
if [ "$tt" -ge "70" ]; then
ipfw table 50 add $ip
fi
done
plus the line
ipfw add 1 deny ip from table\(50\) to me 80
prevented the service from crashing at the time.
you can also offer nginx in reverse mode with the return of statics past Apache, plus user agent filtering, plus a bunch of everything.