[felosi]

Well what you have here is a classic get attack. I suppose the site is a php/mysql site? The goal of such attack is resource exhaustion, they can be difficult to mitigate but it can be done.

What I first recommend is csf firewall with connection tracking features on, you wanna make a ct_limit of about 25-60 depending on how many connections most legit users make. Then make the ban permanent - ct_perm to 1. Then turn on the mod_security failure blocking.

After you configure all that then include a good mod_security ruleset like the one from gotroot.com. I actually just made an article on my blog with a trimmed down ruleset - http://nix101.com/2009/06/25/light-m...urity-ruleset/
This will block bad and empty user agents.

Then set your litespeed settings as suggested above. I usually keep the connection limits to 5 soft, 15 hard. And even lower if needed but be careful legit users may start getting banned. It also has a lot to do with the sites as well. If they have a lot of images and other things to load it will have more requests per second as well as connections. Optimizing your site will help as well.

Then if all else fails, tail your access_log and see if you see a pattern with the user_agent like if they are all using the same user_agent. Get that and google it to see if it is a legit one, if not then just edit one of the mod_security rules for user_agents and put that one in there. Or use iptables string match to get it.

Then if all else fails try a click to enter page, a simple html page with enter link, If the attacker modifies their attack to go directly to index.php or whatever then you will be fighting a losing war and it is time to think about getting some ddos protection somewhere that has one of the click or captcha pages at the router.

Hope all this helps, good luck