Indeed the reverse heartbeats involve a minimal workload for the server, however in the case of many client sessions expected and short frequency intervals this must be taken into account when evaluating the overall load that can be sustained by the system.
The frequency of reverse heartbeats should be therefore determined at design time and embedded in the client application; without allowing the possibility of configuration in the client application, or in any case limiting the configuration to a range considered reliable.

Therefore reverse heartbeats are not particularly associated with a possible ddos attack that can be executed with any other type of client request.
Typically the defense mechanisms rely on standard defensive measures that are not directly related to Lightstreamer itself but to network intermediaries placed in front of the Lightstreamer servers. In practice throttling requests from clients with a frequency above the reasonable limit
As for the Lightstreamer configuration, the same backpressure we talked about in a few posts above can be useful to mitigate this type of situation with peak requests.

Regards,
Giuseppe