Have you even installed mod_evasive and firewall ? We need to know what level of DDOS prevention you are expecting. Solutions are many depending on the budget... software firewall is free
Every attack will be different in some way. Some DDoS attacks exhaust your bandwidth, some exhaust your CPU and some exhaust your available connections. There are plenty of other resources that can be exhausted that are not on this list. Some attacks will only request the one page, some will crawl around the site at random and some will follow a specific path through the site (maybe making fake purchases). You won't know in advance what the attack will look like so it is not possible to make firewall rules to detect it in advance. That said, you can and should prepare your mind for any potential attack by learning how to use tools such as IPTables, tcpdump, WireShark, Snort and mod_evasive. It would also be worthwhile learning how to analyse and interpret your Apache log files because they are likely to be your only window into what has been happening to your site. grep, sort, uniq, awk and cut are your friends here. Learning a scripting language will most likely be very helpful as well. Once you can identify the IP addresses involved in an attack you will want to set up a script that will run every so often to find the latest lot of IP addresses from the log files and add them to a filter. Doing this manually would become very tiresome if the attack is running around the clock. Perl would seem to be the obvious choice here but it's best to go with the language that makes the most sense to you. I believe that Python is very easy to learn and to use. Ease of use will be very important when you are frantically trying to get your site back up and running. There are two important things you can do to prepare your server for a DDoS attack: 1. Make sure you have a way of controlling your server that doesn't rely on its main connection to the internet. Some people have a connection to the serial console accessible from a VPN, some have a virtual KVM switch, some have a second internet connection with a separate IP address, some simply have physical access to their data centre. Whatever it is, if your main internet connection is unusable you will need another way of controlling your server. If your server is unusable, you may need to disconnect it from its main internet connection until it is usable again. 2. Make sure you already have all the necessary tools installed on your server before the DDoS starts. Once you have played around with several different firewalls, packet sniffers, intrusion detection systems and Apache modules on your home machine, make sure you download and install them on your server. That way, when your main internet connection is unusable, you won't have to try to use it to download a firewall.