We have thought harder. We know the solution. But you have to trade off privacy for security. It's having every person get a cryptographic key from the government to identify themselves.
Some states are trying this now with porn sites and users are rightfully not having it.
You know a solution, not necessarily the?
What do you have to do to characterize packets sufficiently to shield against DDoS with negligible false-positive significant blocking? (Without needing to associate packets with an identifiable person, nor zero-knowledge proofs of a person, etc.)
It's OK to discard some prior requirements. (For example, it's OK to insert occasional brief latency (not barge-in Web browser JS) to some traffic, if that permits an approach that greatly reduces false-positive blocking. And it's OK to pass some traffic with a suspected single client, but then change your mind later. It's OK to forget about connection abstractions and clients, and look only at stateless packets and the entirety of traffic.)