I don't want someone keep F5 my site or using some tool to request the page frequently.
That is to say, prevent an Action or the Controller to be invoked frequently by one client.
How can I implement this? Is there any package I can use? just like AntiXSS library.
Most of these features are going to be found in the IIS manager. Something like Dynamic IP Restrictions should help. Read through Microsoft's Best Practices for Preventing DoS/Denial of Service Attacks, this provides a good list of thing to do.
Also according to this video, Cloud Flare is able to prevent these attacks with their free service.