Second, I totally agree about the vulnerability of Crypti in its current form to DDoS attacks. As I have discussed before, one solution is to split Top Delegate communications with Lite clients and their communications with each other onto separate IP addresses. Top Delegates should have their own darknet where only they know the IP addresses being used for communications to new forge new blocks.
Mal, I actually addressed this in some of the proposals I had for our 2.0 network when we started looking into re-working it. The problem with setting up tunnels between the delegates is that it then becomes much more difficult to hot swap in standby delegates when an active delegate gets dropped. Bot impossible mind you, just more difficult. That being said, to DDoS effectively 101 cloud servers with proper DDoS protection through cloudflare or otherwise, would be almost impossible. That's not to say all delegates will have proper security and right now I imagine many have rudimentary measures. Even then, I challenge anyone to try it and show us how vulnerable we are in the current state. I will offer some form of bounty (and i'm sure others would chip in) to anyone who can take down the network and prove they did it, or find a vulnerability.