I had a customer who faced ddos attack on the site and we had a real hard time countering it. The attack made me aware of following:
1) There is no way we can counter an attack as such using nopCommerce feature
2) Even though the server was powerful, the customers kept on getting created and eventually reached to its max limit
3) A particular URL cannot be blocked i.e. https://hissite.com/?die_infidels (yeah. That was the url) and I had no way to kill the request should the URL come.
4) And customer creation happened with IPAddress as blank
I hope to hear from you soon.
What version are you using ?
One question is do you think that these issues should have been stopped by the nopCommerce application or should it really be the job of the server, operating system, network and other systems to stop these types of attacks before it gets to the application ?
Were you not able to identity the remote IP and block it some other way ?
The IP blocking functionality used to be in older versions of nopCommerce and there was previously plugins that would help but it was a real pain to manage as IP address keep changing and no real hacker keeps the same IP or web address for long.
These days security of your server and applications is a whole other discipline requiring the lastest server updates and specialist server software and solutions.
You could also consider using a reverse proxy service such Cloudflare. It would never solve all of your problems, but it can reduce some of the more common attack vectors.
what you need is a Web Application Firewall, like Cloudflare is offering. It's also offered by Stackpath as we used it for one client some time back. There you can also create complex rules depending on your requirements.