Update (August 26): Request-Range header needs blocked as well.
A few days ago KingCope published a small Perl script to launch DoS attack against Apache HTTPD. The problem is it is too efficient for its own good. I had a good time playing with it and came to some pointers that might help others.
- Make sure that your MPM settings are appropriate for your server resources. For example, you should not expect a 256MB RAM server to run 100 instances of Apache.
- Disable DEFLATE output filter with RemoveOutputFilter DEFLATE.
- Disable Partial Content with headers_module RequestHeader unset Range.