Obviously having to wait for an attack to be successful, then responding by blocking the source IP is not a good long term strategy so I’ve made changes to Apache to fix this.
I added a QoS module to Apache and configured it to mitigate this type of attack in the future, actually this type or another where the full request isn’t sent tying up processes.
Either way there is now a limit on connections per IP that will prevent one attacker from tying up the entire server, and timeouts on connections that are stalled or sending below a threshold (presently sent to 500 characters / second).
This should mitigate this type of slow http attack in the future.
 
