[TD-Linux]

Congestion control is required to be enforced at the browser level as an anti-DoS measure. You could just have the browser API limited to 15kbps, but that seems like a silly limitation when the way around it has already been implemented...

[vvanders]

Take a look at Netcode.io, all clients are auth'd with a token and any client that doesn't have the token gets ignored. The token also mandates what IP/hostnames are a valid destination. That way someone trying to DoS just gets their account blacklisted.

Congestion control isn't going to help when a bad actor spoofs your protocol and dump GBs of data on you.