Not just mod-security, but any decent firewall will provide a number of options that can be employed to reduce the attack surface on the web server, and protect it from threatening endpoints.
For example, HTTP traffic can be inspected to identify threat signatures. A firewall or IDS can be configured to drop packets from a threatening IP address after an attack signature has been identified.
An attack signature might be a blacklisted URL eg: /cgi-bin/mail.pl or it could be a SQL injection attempt, or a buffer overflow attempt, or a DDOS attempt.
The idea is to prevent this traffic from ever reaching the web server machine.
Yeah, I forgot about IDS in my reply further up. Web Application Firewalls or Intrusion Detection Systems might have saved this, or they might have just slowed the attackers down.
Also, re: blacklisting DDoS...hahaha, against a real botnet, good luck with that. I could take down RioRey in 30 seconds if I wanted to right now (google "slowloris.pl") by myself. Kind of hilarious seeing as they sell DDoS protection. All the DDoS prevention in the world can't stop crazy traffic with real-world-emulating usage patterns. It literally is indistinguishable from legitimate traffic if done correctly...just ask paypal.
slowloris is in no way a DDoS. It's going to take a competent sysadmin about a minute to find and block the attack. If you've got a gigabit attack, that's a lot harder to block then one person with a misbehaving client.
For example, HTTP traffic can be inspected to identify threat signatures. A firewall or IDS can be configured to drop packets from a threatening IP address after an attack signature has been identified.
An attack signature might be a blacklisted URL eg: /cgi-bin/mail.pl or it could be a SQL injection attempt, or a buffer overflow attempt, or a DDOS attempt.
The idea is to prevent this traffic from ever reaching the web server machine.