Not really - either you send the ids unencrypted and they're trivial to falsify, or you send them securely, in which case it takes a lot more power to decrypt each request for filtering than it does for the attacker to send each new request.
DDoS protection is surprisingly challenging - usually it's relegated to a CDN provider, but that would be more difficult when the actual consumers are the same people most likely to be hosting botnets.
DDoS protection is surprisingly challenging - usually it's relegated to a CDN provider, but that would be more difficult when the actual consumers are the same people most likely to be hosting botnets.