too many connections caused by spam exploits ?

Botnet attacks are becoming a serious problem. I've experienced several attacks in which literally thousands of simultaneous requests resulted in the "too many connections" error, rendering the site useless.

The problem you cited looks like a Drupal-specific attempt to post blog spam by a poorly written bot that is faking its identity as a Mozilla-based browser. As I understand it the 4.7.4/4.6.10 changes in form handling are intended to stop some of that from making it into the database but you still incur the expense of the hits.

If you root around in your logs you may find simultaneous assaults from multiple addresses at the same time. That's a pretty clear botnet signature. They come in several flavors -- attempts to post blog spam, attempts to push fake HTTP referers into logfiles and trackbacks, Microsoft-specific virus infection attempts, and plain old denial-of-service attacks.

There are some improvements in the .htaccess file of recent Drupal releases that can help with some types of attacks (not the one you cited), and you can add a few lines of your own to drop connections for specific types of probes. You should be sure Drupal isn't trying to serve 404s for any image directories, etc., or any of the common Microsoft attacks. If you want you can just have Apache redirect them to the source of the problem:

RedirectMatch /_vti_bin/ http://www.microsoft.com
RedirectMatch /scripts/ http://www.microsoft.com
RedirectMatch /MSADC/ http://www.microsoft.com
RedirectMatch /c/ http://www.microsoft.com
RedirectMatch /d/ http://www.microsoft.com
RedirectMatch /_mem_bin/ http://www.microsoft.com
RedirectMatch /msadc/ http://www.microsoft.com
RedirectMatch /MSOffice/ http://www.microsoft.com

... and/or just drop the connection ...

RewriteCond %{HTTP_REFERER} (casino) [NC,OR]
RewriteCond %{HTTP_REFERER} (cialis) [NC,OR]
RewriteCond %{HTTP_REFERER} (viagra) [NC,OR]
RewriteCond %{HTTP_REFERER} (cheating-?wives) [NC,OR]
RewriteCond %{HTTP_REFERER} (housewives) [NC]
RewriteCond %{HTTP_REFERER} (insurance) [NC]
RewriteRule \.*$ - [F,L]

et cetera.

If you see the result, it is a 403, which means access denied.

So, the bot attempt to post spam at your site was unsuccessful, either because the bot used invalid code (specifying HTTP/1.0 and using Expect at the same time) or because the session ID is not for a logged in user as well. That ID can just be what got sent to the bot in earlier requests.

I agree with yelvington that bots are a serious problem, and if they do no real damage, they do suck system resources. There is no fool proof generic solution yet.
--
Drupal development and customization: 2bits.com
Personal: Baheyeldin.com