Existe uma pergunta semelhante aqui :
The challenge with this question is that it asks for a solution to a fundamentally unsolveable problem. There's no tool or practice you can adopt that is going to protect you from a moderately competant attacker who is determined to take down your service.
mod_evasive is about as good a solution as you're going to get to this problem in the short term. It implements "best practices" throttling of requests, and will prevent your system from being taken down by a 5 line Perl script.
In the longer term, when your application becomes successful, you'll inevitably wind up deploying a load balancer in front of it. The mainstream commercial load balancers (like F5's Big-IP) all implement "DOS protection" throttling, so you can turn that feature on when you upgrade. But don't upgrade just to get that feature.
The problem with solving modern DDOS attacks is that they are launched from numerous unrelated unpoints (often, from huge botnets). Web application firewalls like Citrix/NetScaler, Imperva, and F5 will do a decent job with the canned attacks, but skilled analysts (preferably from your own team) are going to be needed to stop "real" attackers who know your name; you do that job by analyzing the attack traffic, finding characteristics in it particular to the attacker, and filtering it.
I think you're on the right track with free "plug-and-play" defenses for this, especially with a new application.
@tqbf