Heh. It's been a day of head-slappers. In my testing of the filter I put in for the Apache config, my own IP was added to the access log. I used the access log to generate the list of IPs to disallow. Suddenly, my own IP couldn't reach my own server.
It took me a few minutes, but I realized my error and corrected the firewall rule. Fortunately for me I have additional IPs, including IPv6, and physical access, so it was not likely that I'd actually be locked out for long.
The good news is that the DOS, at least as filtered with a lot of firewall rules, has withered to a few hits per minute. Either the attack is off, or I've blocked enough IPs to make it futile. Big thumbs up for firewalls!