I’m creating a web page that user can send pm , receive it,add contact,response to adding,change status and state of their yahoo messenger account.(Something like meebo.com or ebuddy.com)

Now for securing it against DoS attack and try to login or sending pm,I have create table which store blocked ip address.

The web site works with ajax,if user wanna to login more than 5 times in minute ,it will blocked his ip address.

If user can logged in,it will make session for him,that will use for sending and receiving pm and … .

Now I wanna to know if user logged in,is it possible for him to DoS on site? or should I make time stamp for each ajax request?(I mean if he logged in successfully, for each request ,I will have record in table,and user can’t have more than for example 10 request in second.) [I think it will get a lot of ram and cpu proccess.]

Or it’s enough to check in reffer request is from my web site it’s not DoS attach?

can apache protect my web site against DoS attack like that?
(because I make page by curl on my vps against my website(in another server) to load it again and again,and it will get a lots of my process.I kill it by my self.apache can’t prevent it.I don’t know my apache configured badly or it can’t do it)
(I’m developing it by CodeIgniter Framework.)