There's really nothing new about this sort of depletion attack, and it's easy to launch in dozens of different ways in a line or two of code. (As far as a 'tool' to do it, I think the 'ab' benchmarking utility bundled with Apache suffices.)
In response, you block/throttle origin IPs, and decrease timeouts so zombie connections are dropped more quickly, and increase the capacity to serve or shake-off troublesome connections without locking out legitimate traffic. An inbound reverse proxy, as joshu suggests, often makes this easier -- and keeps such enforcement cruft from complicating the primary server.
Yes, but with concurrency/repetition/keep-alive, you can still tie up essentially all of the connections. (And it's plenty easy to open any number of hanging connections without 'ab', too -- a few lines of shell script, at most.)
In response, you block/throttle origin IPs, and decrease timeouts so zombie connections are dropped more quickly, and increase the capacity to serve or shake-off troublesome connections without locking out legitimate traffic. An inbound reverse proxy, as joshu suggests, often makes this easier -- and keeps such enforcement cruft from complicating the primary server.