Preventing DDoS attacks against a Monero service while protecting user privacy

Question

How can I best protect a Monero service (clearnet) from DDoS attacks while at the same time protecting the privacy of users? The Monero service will require that I provide users with the IP address of my full node, so they are able to connect to it.

While of the following measures are generally seen as less intrusive to the privacy of users:

1. Cloudfare with capcha
2. Email address confirmation for upon registration and subsequent login with username and password
3. Blacklisting of IP addresses that have been involved in previous DDoS attacks

Answer 1

All three of the options you mentioned negatively impact user privacy.

1. Cloudfare is often unfriendly to Tor users.
2. Logic requirements mean the collection of data from users
3. IP blocking harms innocent users (whose VPN ip address or Tor exit node usage may be flagged as abusive due to no fault of their own).

One thing you could try is to require none of the above as your baseline and only activate Cloudfare selectively at times of unusually high usage.