Apache has many differing mpms - you can use an evented mpm similar to how nginx handles connections. Anyways since this 'attack' is making a full tcp connection a simple fix would be to limit the amount of full tcp connections from one source.. or if you feel particularly evil add it to a blacklist of tarpitted connections and then reverse DOS the attacker.