The Anthko idea:
Wouldn’t it be easier to use heuristic DDoS protection with a rule similar to the following during a traffic spike:
Have we seen this IP use this service/site in the past 120 days?
- No: redirect to captcha server. Block all subsequent requests from IP during captcha process. If captcha is not completed correctly in 30 seconds add a rule to block the IP at the gateway for 24 hours.
- Yes: has this IP tried to connect more than 10 times in 2 minutes?
2a. Yes: redirect to captcha server. Block all subsequent requests from IP during captcha process. If captcha is not completed correctly in 30 seconds add a rule to block the IP at the gateway for 24 hours.
2b: no: permit the connection.