Not exactly sure if that's what you recommend. But connection termination is not necessarily a good thing for DDOS mitigation. The reason is that the client might just retry immediatly - and it will do that using a new TLS connection. And the handshake for that connection has a huge cost. If you plan on disconnecting clients *after* a TLS connection had been established, you will also need to implement TLS handshake rate and connection limiting. That's possible, but I've only seen a tiny amount of services every implementing it.