I don't mean to be negative, but what makes you think that "site application security" or a migration to Linux will solve this problem?
Depending on how much of a problem downtime is for that site owner he should really get support from someone who is experienced with this kind of issue, and that's probably exactly what you should be recommending.
He might also want to invest in ddos mitigation infrastructure, but this is more a financial problem than anything you'd likely be able to help him with...
That said, I find the
Arch wiki site on security pretty good, but it's not going to help with ddos attacks.
You are more likely to find anything useful regarding that if you search with terms such as "apache hardening" or "apache security". Just did it and e.g. this
this article came up. It also has a section (mod_evasive) that talks about ddos.
Good luck