Perhaps this is out of scope for the question, but I’m interested to know how we could expand upon this design for a public API with the specific goal of maintaining system availability during a DDOS attack? Rate limiting on a per-IP level could be insufficient to stop a distributed attack, and rate limiting on a system-wide level could render the system unavailable to well-intentioned users due to the attack load.