> If this is indeed due to the recent decision to enforce authentication for all API calls, it means the curlprit may actually be the API gateway or something similar downstream.
The way I understand it, DDoS is not caused by enforced authentication - enforced authentication is just a temporary measure against DDoS.