I really like this postmortem RCA! The author has done an excellent job walking us through his thought process and explaining the discoveries.

One thing I'd add is putting HAProxy with stick-tables rules in front of the web server (even Apache) as a measure to protect against this form of DDoS attack.

Thanks! It was a very odd thing to have happen to such a small website so I was curious to learn what I could from it. I still want to dig deeper with the compromised hosts and see if there is some way to determine anything identifying about the worm or botnet itself.