DDOS has nothing to do with it. DDOS = Distributed denial of service, it means someone will trigger a lot of computers to ask for a service in your website and your server won't be able to handle the load. This will prevent your server to give a service for "honest" users and that's why it's called "denial of service".
Preventing DDOS attacks can be tricky. The only way of handling it, is not providing a service to certain IP's or users with IPs from the areas you're being attacked from.
If you want to protect your site from brute force attack (assuming someone wants to hack into a user account) you should:
- Use a good and well secured logging system. That means, using a good hashing function and salting the users passwords.
- Use your second option - record the IP of a user who failed to access his account and don't let him try for 2-3 seconds. If he fails 2-3 more times, block him for 15 minutes, this will be enough time to protect your users accounts.