I doubt that it is an DDoS protection. I guess it's an DoS protection. Unless the tool could see, and find some pattern, it's almost impossible to block it. There are multiple ways like allowing 10 users entering each 30 seconds, checking if user is going and quitting in the matter of seconds, using packet 4000 as a check (if the first income isn't 4000 = disconnect, else it will be trying to parse it all), and lots of other stuff.





