Throttling etc is not a consise solution against a database flood, it merely slows down the impact. It's better to prevent floods by maintaining 'state' information on the client, there are some
common techniques and e.g. encoding session status in the URI is a way to avoid the need for cookies.
Should you suffer from re-posting data problems then you can use the session state info to prevent such (e.g. hidden field with sequence number) or look at solutions discussed in this thread or this thread.