I'm not very familiar with DDoS protection strategies. Can you please elaborate on what is meant in (c) by "make resource consuming responses require resource consuming requests"?
Make people login before doing a search is a common example for forums. Search is hard, unauthenticated search will bring low end forums down, so they make you create an account and login.
