This isnt really a vulnerability as such. This is done via cookie as it applies to guests as well as members, and there has to be some way in which to keep track of when someone has searched. So its done via a cookie. No matter what we used to track that, it could have course be removed.
DDOS style attacks are really something that should be dealt with at a server level, rather than at a software level. Refreshing a page over and over, creating members over and over etc, would all have a similar impact to this.
The setting is intended as an additional layer in a stack of DDOS mitigations, but is not intended as a catch all.