DDoS Attack Log Analysis Question

[Jim Ohlstein]

The nginx forum had a DDoS attack which took the site down this morning. 
  In approximately 23 seconds there were just under 900,000 lines in the 
error log that looked like:

2009/10/09 10:21:38 [alert] 32576#0: accept() failed (24: Too many open 
files)

First question is do each of these entries represent an attempted 
connection?


Looking at the access log there were thousands of requests for the same 
page from roughly 400 IP's in that same 23 second span like this:

58.53.85.229 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1 
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 5.1)"
60.177.29.231 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1 
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
  (compatible; MSIE 6.0; Windows 5.1)"
125.91.207.11 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1 
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
  (compatible; MSIE 6.0; Windows 5.1)"
125.119.65.194 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1 
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.
0 (compatible; MSIE 6.0; Windows 5.1)"


All of the IP's that I checked were legitimate IP's that localize to 
various regions in China.

I have set up limit_zone and limit_conn directives to hopefully mitigate 
this in the future.

Second question is where to set limit_conn and what are the effects on 
users if set low? The site generally responds quickly, at least here in 
the US, and I don't want it to be especially sluggish for people using 
less fast connections in other parts of the world, but of course I want 
to reduce the chances of this happening again. Bear in mind this is a 
low traffic site (16K visits in the last month) on a small VPS.

Any advice would be appreciated.

-- 
Jim Ohlstein