We consider the joint design of control and scheduling under stochastic Denial-of-Service (DoS) attacks in the context of networked control systems. A sensor takes measurements of the system output and forwards its dynamic state estimates to a remote controller over a packet-dropping link. The controller determines the optimal control law for the process using the estimates it receives. An attacker aims at degrading the control performance by increasing the packet-dropout rate with a DoS attack towards the sensor-controller channel. Assume both the controller and the attacker are rational in a game-theoretic sense. We establish a partially observable stochastic game to derive the optimal joint design of scheduling and control. Using dynamic programming we prove that the control and scheduling policies can be designed separately without sacrificing optimality, making the problem equivalent to a complete information game. We employ Nash Q-learning to solve the problem and prove that the solution is guaranteed to constitute an $\epsilon$-Nash equilibrium. Numerical examples are provided to illustrate the tradeoffs between control performance and communication cost.