Is it possible to distinguish from "good" http requests and DoS attacks?

How could I know that a lot of r开发者_开发技巧equests in a short period of time come from a DoS attack and not from normal browser requests?

That depends on the attack, you can count r/s per IP to get an idea which clients are behaving more aggression. If you have access_log enabled, a quick data aggregation of IP->Requested Content will catch your typical denial of HTTP service attack when rogue hosts reload a single page.

no , you can only mitigate/block the potential effect of the attack pressing F5 repeatedly is ddos