To prevent the DDoS attacks you need to kill that bastards, who doing
the DDoS. To stand against DDoS you need to write a fast and scalable
web-applications. Tuning the server to resist the
network/session/http-layer attacks is only a part of success. It does
nothing if your application would produce 100% CPU load on 10 RPS.

Though tornado is a pretty good HTTP server due its async nature, it is
not a good idea to put it on the front. Since it is recommended to put
it behind the other web-server (nginx/lighttpd/cherokee), there are no
tornado-specific requirements to protect against network layer attacks.

btw. Captcha is to protect against spam bots. Not DDoS.

The best way to block network related attack is to use firewall.

Some attacks aren't just targeting HTTP, it can attack ICMP or SYN as well.

http://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

- Didip -

As the others told you, Captcha won't cut it for you. You could try DDoS
Deflate, but then you run the risk of cutting some of your legit users out.
See, what Deflate does is monitor requests and blacklists IP's with
"abnormal" (defined by you) request frequency. If you don't need UDP, you
may try and ask your datacenter to block it completely for you. When you're
dealing with SYN Flood with spoofed IP's it's really hard to do on your
own. Cloudflare might save you from minor DDoS but it will not provide real
protection. Depending on how bad the attacks are and how feasible it is for
you, you may want to see what the proxy-shield providers can do for you. My
butt was saved a few times by Vistnet with SLA up to 1 mpps, but then again
I don't know if you need that much protection-wise. Can you give some
metrics here, so we can try and see what's going on with your attacks and
hopefully come up with a more precise answer?