This should be easy to write a detection script for...
http://chaptersinwebsecurity.blogspot.com/2010/11/universal-http-dos-are-you-dead-yet.html
It's a tool that implements the recently discussed slow POST http DoS attack. The client sends a long-ish Content-Length header (maybe even just 1000) and then every 15 seconds or so, sends a byte of data. It takes a long time to send the entire 1000 bytes and the web server will sit there waiting for all of the data so it's very easy to exhaust resources on the server.
.Seth