Got called a few days back by a customer saying their site was down. I logged into the server to find the load to be at around 200. Even for a dual quad-core xeon, this was too high. I found that a few choice folks were either leeching content from his website and/or he had a potential DDOS coming in. I enabled mod_status and ran the following one-liner to give me the top ten offenders by number of active connections to Apache:
lynx --dump --width=132 localhost/server-status | \
grep "[:space:]*[0-9]*-[0-9]" | \
awk '{print $11}' | \
grep -v "::" | \
uniq -c | \
sort -rn | \
head -10
The grep reg-ex will only work on apache2+. It would have to be tuned to work properly on old apache1 installations.
With this information, I'm able to either take individual hosts or whole segments and add them to the local iptables to keep things under control.