You would use a CDN (such as cloudfare) to make the site available from several points on the internet - thus using the underlying T1 internet infrastructure to mitigate this problem. This would mean that only nation-wide ddos attacks would be succesful, as anything less just means an increase in ping (of the lobby). A cdn also includes often processes to notice attacks, and then mitigate it by temporary banning ips higher upstream.
As a private person, getting a cdn is.. Non trivial, it's both not cheap, as well as hard to get. A cdn often needs a verification of ownership of hte IP address, so you would need to find someone who trusts you enough even though the owner is an ISP and the ISP might change at will.
What would happen is that you have a central server everyone knows - but that is protected and identity is guaranteed by something like cloudfare. All communication in the lobby happens through the main server, so no one can see each other. Writing such a lobby shouldn't be too much of a task, a simple built in browser and some javascript I have made similar applications and that would take me like 2-3 months fulltime.
Then upon agreeing to a game, your lobby process would either disconnect (or not not really relevant). And the people who agree to start a server a server are given the host's ip address, while the host is (because the players connect to him) the players address. And they have a "private" game that is hidden from the lobby. This part, I have no idea how long it would take to implement I've not looked into 0ad code nor am I versed enough with c++ to say anything. (Been 10+ years since I touched c++)
That way for an attacker to actually do a ddos on a game, he's have to join the game (either as spectator or player). This makes it much harder to automate, as well as give a layer where we can "find" the ddos. If you would still get ddos one of the players must be the attacker - or be infected by a worm from the the attacker or something. This could then be reported back to the lobby host who can analyze the data and find the actual attackers.
Similarly other defense mechanism could be added, like adding newest recaptcha to the lobby site to enable the power of google to find automated bots.
Making a dedicated lobby is the *only* step towards a solution that can be taken. (Further steps are playing the whole game on the server and not having p2p gaming at all - like modern games do).