Improve connection handling - Implement protection against denial of service attacks

[gkc]

Is your feature request related to a problem? Please describe. If many clients are trying to open connections and the server is at capacity, the existing defensive mechanisms (see #503) help but are not sufficient to prevent denial of service from a determined attacker or badly-behaved client

Describe the solution you'd like

• 'good' clients should always be able to connect, even if with some added latency when server is at capacity
• 'bad' clients should be banned with exponential backoff akin to the unix fail2ban package which handles bad ssh clients
• 'good' clients need a way to identify themselves as such as quickly as possible - e.g. by presenting a cookie, which isn't enough to authorize the client, but is sufficient to indicate that this client will authenticate
• the core idea is to disconnect clients as quickly as possible when they are either (1) unauthenticated and exhibiting spammy behaviour like repeatedly calling scan: verb (2) unauthenticated and not showing any indication that they will authenticate