You either have an idiot for a client, or a very wealthy and serious one. Don't invest too much time before you determine which it is. Assuming they are serious, check out the Clustra database. Their website is http://www.clustra.com/ and you will see that their database architecture is really designed for the serious client. For what you are talking about Oracle is 'old' technology. Also, Clustra will likely be cheaper than Oracle, and you can download it and use it right now!
Also you might breach the subject of what they mean by 5 nines. Do they want a web service up and 100% useable 99.999% of the time? Can the service tolerate a maintainance mode, (thinking of Ebay)?
Anyway, if the data is what needs to be essentially always available, then the database is what has to work flawlessly, putting a rack full of webserver clones togeather is the easy part.
As far as a DOS attack, I don't see how you can control or plan for all future attacks to the point of a contract guarantee. What you can do is hire a team of network engineers to wait around for the next DDOS and respond quickly (thinking of Yahoo).