I had such an attack on my main forum only this month. XF software nor my server was breached, the attack was purely external. Basically, somehow one can make every call from your site, reference another domain, inject that to act basically like how discouraged works, randomly slowing page loads and disrupting the overall community, even triggering users anti-virus alerts trying to load malicious code to their browser by viewing my site, all done externally without breach of my server.
Register a non-common domain, ie. .tv, it doesn't hit whois quickly, have several servers setup and let the games begin... as I blocked one IP block, the script got moved to the next, the next, etc, shutting each block down as it went and reporting the abuse to each server company to take action against the account holder, which they did so.
The end result... you can pay someone a couple hundred bucks to really cause chaos to a forum nowadays, any site actually, whether disgruntled or just to disrupt the competition, all externally... and the only way to protect from it, is to shift to HTTPS.
Lesson learnt this month... once you start making an impact in an area around the globe, things get nastier and nastier.
Its just not worth the hassle to endure blocking further attempts, instead for a $150 you can get SSL from someone like Godaddy, with the green bar, authenticated, for 2 years vs. endure any type of further external assaults. With HTTPS in use, now they have to try and breach the software or the server...
The web is becoming a very competitive area to play...