Denial of Service (DoS) attacks
All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.
Often the most effective anti-DoS tool will be a firewall or other operating-system configurations. For example, most firewalls can be configured to restrict the number of simultaneous connections from any individual IP address or network, thus preventing a range of simple attacks. Of course this is no help against Distributed Denial of Service attacks (DDoS).
There are also certain Apache HTTP Server configuration settings that can help mitigate problems:
The RequestReadTimeout directive allows to limit the time a client may take to send the request.
The TimeOut directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As TimeOut is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.
The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
The values of various timeout-related directives provided by other modules should be checked.
The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.
On operating systems that support it, make sure that you use the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
Tune the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections without running out of resources. See also the performance tuning documentation.
The use of a threaded mpm may allow you to handle more simultaneous connections, thereby mitigating DoS attacks. Further, the event mpm uses asynchronous processing to avoid devoting a thread to each connection. Due to the nature of the OpenSSL library the event mpm is currently incompatible with mod_ssl and other input filters. In these cases it falls back to the behaviour of theworker mpm.
There are a number of third-party modules available through http://modules.apache.org/ that can restrict certain client behaviors and thereby mitigate DoS problems.
Fonte: https://httpd.apache.org/docs/trunk/misc/security_tips.html