guruvan, gllen, thanks for your feedback!
Presuming you are able to offer this service because you have those 100 BTC on reserve at Mt. Gox, does that make this service vulnerable to a denial of service attack?
Yeah, the buffer size should be a few times of the max transfers size and should grow when more users are transferring funds simultaneously.
I would bet that after you get a few fake anonymous requests made for 100 BTC each that at some point your reserves are gone and you can't offer this service until those requests time out due to no payment sent.
You can create 3 transactions with 'waiting for deposit' status from one IP per 24hrs. After that it won't allow you to request new transfer.
But even if someone writes a bot to use proxy servers to get around IP limit, the buffer does not get reserved until there is a change of status to 'waiting for confirmation' on the requested transaction, which takes about a minute in on average in a normal case.
In other words, funds are reserved when 0 conf tx is detected.