ModSecurity >=2.5.13 seems to be suggested:
Add a rule:
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip. slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" \ "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
for more see the Chaptersinwebsecurity presentation at http://www.hybridsec.com/papers/OWAS...l-HTTP-DoS.ppt
(slides 8 - 15). Note just adding these to ModSecurity is not enough: downloading the attack POC and testing it should definitely be the next step to find out if it works as advertised.