My apologies if this has already been covered in another thread, or if this is something Mangos already does.
Assuming that the logon and realm servers are kept on separate locations, then perhaps having the logon server behave as a reverse proxy for the realm servers would mitigate most of the effects of a DDoS attack. At least it would allow the realm server's IP address to be kept hidden from script kiddies. Also, it would be easier to minimize downtime and allow for a more robust contingency plan.
Downsides would be latency and a heftier load on the logon server