I had a customer who faced ddos attack on the site and we had a real hard time countering it. The attack made me aware of following:

1) There is no way we can counter an attack as such using nopCommerce feature
2) Even though the server was powerful, the customers kept on getting created and eventually reached to its max limit
3) A particular URL cannot be blocked i.e. https://hissite.com/?die_infidels (yeah. That was the url) and I had no way to kill the request should the URL come.
4) And customer creation happened with IPAddress as blank

I hope to hear from you soon.