If it is getting GET attacks you should really try BARF. It works good, you just have to manually specify the requests the attackers are made. Sometimes they will change them when they realize whats going on but I handle 5 servers with sites getting ddosed all the time and I am able to keep up with them on at least 2 sites I can think of now.
Eventually when i find the right programmer I am going to get it programmed where it detects and blocks on ANY reptitive GET. Now that will be cool. I think you would still have to specify domain to watch for because it would just be too much for it to be checking all domlogs at once.
With BARF, SYND, Csf w/connection tracking and litespeed with proper settings you can pretty much handle anything that gets by your network filters as long as it doesnt consume your pipe.
But there is one bad thing about litespeed I noticed. For example for a lot of these attacking bots they was not giving user agent so we added some mod sec and rewrite rules to stop this. Now all attacking bots get a 403 yet it is totally draining my bandwidth as if it was really getting the image. I think Ill make a post about this here somewhere. Has anyone else noticed this? Also even though attacking bots are getting 403 the lsphp and lshttpd processes are going crazy. I guess where its all based on php - the error pages and all.