>>4008
>>4010
the temporary solution I've implemented is a separate .onion for moderators, who are the only people who would ever need to login in the first place.
dos skids want the site unavailable. if they can't have that, wasting *human* time engineering overblown solutions and/or chasing circuits is a good alternative.
since I've gotten involved, I'm also reviewing jschan's code to see if basic form validation can happen/is happening *before* expensive operations are incurred.
the attack stopped roughly three hours after I shut his ass up.