Depends on the scope and scale of the attack. If you put a proxy server in front of the actual application server (or a series of proxy servers that were lightweight/cheap to run), technically speaking you could control it. Not an expert either but have relied on mechanisms like that in the past to help with traffic control.