I would like my Apache server to fail gracefully with an HTTP 503 when some bot comes along and hammers the site relentlessly.

It doesn't seem to be doing this -- one one of my single-server sites we had an event today, and the bot was able to successfully crowd out most other requests.

Ideally, a given IP could be limited to a certain number of requests or sustained hit rate, or something like that. I think this is what the old mod_throttle was supposed to do, but it doesn't exist any more.

Any good ideas out there so I don't have to reinvent a wheel?

The site uses Drupal (PHP) which is a total memory pig ... a typical high value is 37MB per child process (Yikes!).

My server settings are currently:

<IfModule mpm_prefork_module>
 StartServers    2
 MinSpareServers  2
 MaxSpareServers  2
# Set MaxClients down from 28 after out of memory event, typical client uses 37MB, usually at least 700MB free for Apache.             
 MaxClients    14
 MaxRequestsPerChild 500
</IfModule>

Even after the server had hit what appeared to be MaxClients (based on my monitoring stats) it was not logging anything like a 503 error.

Instead, it's looking like requests are getting queued somewhere. There's no proxy (e.g. squid).

Any good ideas on how I can address this without manual blocking (which is what we did to get rid of this one).

(Server: Apache 2.2 with PHP 5.2, MySQL, Ubuntu recent with Drupal 6.x custom code.)

Thanks,

Tom