With a single-server setup for simplicity, which steps could you do to minimize the attacks of a (D)DoS attack? And is it really worth it taking these steps, considering their effectivity and impact on 'normal' users?
[EDIT] I also meant to include steps which you would need inject into your code to apply, not only IIS setup.
A good point to start it´s having a good firewall that blocks IP when they are doing a lot of petitions per second.
The IIS LockDown Tool can be useful: http://technet.microsoft.com/en-us/library/dd450372(WS.10).aspx