You've already mentioned the two main modules for Apache that most would use.

Are you being hit by DDoS attacks?

For the most part, DDoS is paranoid FUD, millions of sites online, why would they target yours?

I think worrying about DDoS is a complete waste of time. My biggest site has only been the victim of an actual DDoS about 5 times since '96 which isn't worth the effort to deal with it. Just call the host when it happens and they'll quash it because it kills their bandwidth during the attack, it's in their best interest to shut it down.

Not to mention, you won't be the only one in the hosting rack impacted by the DDoS attack. Everyone on your end of the network will be running slower than hell and people will be complaining to the host. Last time I thought I was having a DDoS attack it was actually someone else's server in the same rack being attacked, not mine, so having any DDoS protection on my server would've been completely useless.

If your hosting company doesn't have DDoS controls in place, which many do these days, you should be looking for a new hosting company to solve your DDoS issues instead of worrying about software.

With all that said, bad spiders crawling a server too fast aren't DDoS and won't be stopped by traditional DDoS software. Doing some whitelisting of allowed bots and kicking the rest to the curb, especially some of the really greedy fast crawlers that hit from Asia, will be time better spent.