1. After confirming the mail, sending EVERYONE! request to receive SMS through a new captcha task .
2. The interval between the possibility of SMS requests is 5,10,15,30,60 minutes and then blocking the account.
A simple and free replacement for CloudeFlare against most types of attacks: here .

Ask the user to send a message to our virtual number with the code that was displayed on the screen. This is the main way to fight.

Struggle against conversion, for which own forces and means are spent. Competitors will say: "THANK YOU SO MUCH!"
PANCAKE! Yes, I’d better authorize / verify accounts through social networks: through the same Google!
PS:------------

I want to open my own DDoS protection service

TOALL: if anyone is ready to help the author of the question - Welcome!
DDoS protection recaptcha v2?
How to make the most fault-tolerant web application (website, database) without BGP?
Your own DDoS protection service?
How does dudos protection work?

The easiest thing is to connect CloudFlare and enable aggressive mode.
CF checks if the user is a bot.

There have already been enough options offered, but
as an option , dial the user's phone number (naturally, the pool of numbers should be sufficient),
reset after a few seconds and ask the user to enter the last four digits from the calling number.
Natural captcha and increasing delay between calls

Is the captcha worth it?

Are the numbers real? When sending SMS, are they checked for existence by your gateway?
Well, as an option, change the strategy from "we will send you an SMS" to "send an SMS to our number", then we will register it.

Or maybe go the other way?
Set up two-factor authentication? And you can opt out of SMS.