@crunklord420 @Saxophone3784 >The semi-decentralized layer-7 anti-DDoS stuff doesn't work for protocols like the fediverse.
I thought about it, and it might work if you don't put the JS challenge page on ActivityPub endpoints needed for federation, but this'll probably require some middleware filtering in order to distinguish legitimate requests from forged.
1. Actors (user profiles), objects (posts) and webfinger could be aggresively cached and served statically, since their size rarely ever gets larger than the JS blob needed for PoW challenge. I do it myself to speed things up since my instance is proxied from my home in Russia to the VPS in America.
2. Inbox endpoints that are used for receiving posts from subscriptions pretty much only receive POST requests with activity json and signature header required to check whether the activity is legit. This part is rather hard, and I don't know how exactly can one handle it; I guess you could either start with IP whitelists for legitimate instances that fully federate with KFcc, or build a middleware with separate cache/database of actors public keys (maybe pulled from live database from instance itself) to check signatures against. I doubt resource constraints for checking the key are any larger than for establishing an SSL connection to begin with.
3. MastoAPI, frontend and everything else could be just left behind the challenge. This will break third-party apps like mobile clients, but maybe you could use similar approach to IP whitelist but with oauth tokens instead.
4. As for outbound requests, you can just route them through a bunch of disposable round-robin proxies.