Short answer: Yes. Heroku’s dynos are protected by the fact they each have their own file-system and their own user, etc.

Long answer: Depending on the severity of the (D)DoS attack, there can be a point were the load of requests from a DoS attack will require more resources than are available to heroku’s cloud. You may experience delayed requests and application responsiveness may be reduced. It is important though to understand this ‘lack of performance’ does not indicate a breach of security . Heroku’s, (iirc from a couple convos I’ve had with employees) has a pretty robust routing layer which helps to balance the load and avoid using troubleshome and/or unresponsive dynos (instances of your application), but then again, a truly Distributed Denial of Service attack, with it’s ludicrous amount of load on the server may eventually hit a point where the resources in the cloud are simply not enough.

<speculating>
It is at that point that the providers (Heroku in this case) usually only have the option of trying to isolate the attack, usually done by ‘holding the line’ if you will at the dns-level and (temporarily) rejecting requests to the domain/s under attack. Not to say this is the only way, but one way. Very dependent on the specifics of the attack, which of course as an outsiders, I don’t know.
</speculating>

ref: http://www.heroku.com/how/dynos

I am not an employee or representative of Heroku, just a user– talk to them for more specifics