Is there a way to fight back DDOS attacks with IIS on kernel level?

I am developing a system, a main key of which should be security. So i have to consider the weakest places, where it might be broken. Probably, the first ones are brut force and DDOS attacks. I've read a l开发者_如何学Goot of 'best practices' to fight them, and first thing I want to do is to enable some kind of dynamic IP restriction. I thought that such kind of problem is very popular, and that IIS (I am using IIS 7) would have some built-in functionality of blocking malicious request at kernel level, so it would be much faster than writing my own asp.ent modules, or WCF extensions (I am using WCF service as an extra security layer).

The best thing i found was IIS 7 add-on 'dynamic ip restriction"(http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/?FeaturePage=4FA9C136-25BD-4833-853A-99EAAD0754D2), but there is a very annoying missing part of functionality - I can't set the time of ban of IP address, and I don't even know it. I read on internet that on previous version it was enabled, I wonder why they turned it off in new release...

Anyway, maybe someone knows a good solution for this? I would consider an option of writing my own kernel-level module (I'm not sure if in IIS7 integrated mode asp.net managed modules are IIS kernel modules, and what is their lifecycle), but with a possibility to manage it's settings from IIS manager, just like that 'dynamic IP restriction' add-on, but the best option would be a ready product.