Oh I see what you’re asking.
We have a bunch of network level DDoS protection in place. Our general feeling is that app level DDoS protection that involves capchtas kind of sucks, and most apps just need some of what nginx offers (if they need anything at all).
That said, our policy is to not charge for usage resulting from an attack. You can limit how much your app scales as well, but we’ll wave charges if things go bonkers even without that.