[rini17]

I would welcome if this incident shone light on possible Cloudflare alternatives. For example, it should be technically doable for DDoS protection service to only initially verify user is not a bot, and then merely tunnel unchanged SSL traffic directly between server and client. Does anyone do this?

[grey-area]

Another model which might work - don't take over customer dns, issue ephemeral tokens ( say 30 mins) for each ip classifying risk. Then the client site determines whether to drop connections, no tunnelling required.

[rocqua]

You still need to make a connection to drop it. You can DDOS just by making a lot of connections.