I guess I have to ask, since I'm curious: I'm going to guess a big chunk of your miners come from the same IPs, right? So, like, I'm sending you ~20GH/s from IP X.X.X.X. And BobTheMonkey is sending you 20GH/s from X.X.X.X, day in, day out. The log has to show that same traffic pretty constantly.

I have no idea what is required to prevent a DDOS, and I'm not about to claim I do. But in a fairly "small" operation like this (and, realistically, it is pretty small; you're looking at, what, ~550 or so clients connected?), couldn't you just whitelist all the "known" (or at least, say, the "big" known) IP addresses, and block everything else?

I'm assuming of course that only the pool.abcpool.co address is needed to allow mining, and the DDOS attack isn't screwing up something else on the back end.

I'm sure, 100% guaranteed, that my logic is wrong somewhere, but in a purely binary world, I assumed you could just block all traffic to that address except your "known" good miners (such as me, the most attractive member in the world).