@cek To the best of my knowledge, everything you just said applies to traditional DDOS attacks too. You can't tell if they're malicious either, but once they go over the limit, you cut them off anyway to play defense. Why does that not apply here?