This is not a DDoS attack. Roblox requests are proxied. This is caused by mass cloning RightGrip (weld existing when equipping tools).
This looks somehow like this (R6 presented here - pseudoscript)
local RightGrip = Character["Right Arm"].RightGrip
onRenderStepped:
a = clone RightGrip
a.Parent = Character["Right Arm"]
spawn(function() a.Parent = Workspace end)
end
This will cause a lot of elements to be parented into workspace (and replicated to server). Exploiters make it about 60000 times a second which leads to crash (clients timeout). The objects do not clear after person leaves.
There is a way to prevent it. Track ChildAdded on Workspace then if child name is RightGrip (note they can’t change it), check it’s .Part0.Parent, get player from character, kick and clear up added welds. Works on R15 as well.
DDoSing is completely separate topic. Not related to the issue.