[meowface]

I do network security for a large company, so I'm not talking completely out of my ass when I say you can have alerting in place to at least detect the most obvious behavior. There are also tools and even entirely inline appliances (look at RSA Silvertail) designed specifically to look for automated behavior against a web server.

Someone clever enough will be able to get around it, but it's really not hard to detect automated scanning or scraping behavior, especially if they're not delaying their requests in any way.

Stopping a layer 3/4 DDoS is another matter entirely. They're quite easy to detect but quite hard to mitigate yourself; you need your upstream provider to mitigate it for you.

Also, using Javascript interstitials against layer 7 attacks (like Cloudflare and Incapsula do in their default mode) will stop script kiddies, but they're not hard to get around if you know what you're doing. So you'd either have to, as you say, change the method every few minutes...or just use a captcha.