I thought that until my sites behind AWS' CloudFront were repeatedly DDoSed and I saw my bill.
AWS did let me report these DDoSes and they would reimburse me, but it felt wayyy too precarious and I ended up switching to Cloudflare (free).
And I think that should worry us all.
Also, only the most trivial sites can be 100% cached. And those are the sites who need Recaptcha the least (or need a server to get a challenge from). Abuse is not a simple issue to solve.
AWS did let me report these DDoSes and they would reimburse me, but it felt wayyy too precarious and I ended up switching to Cloudflare (free).
And I think that should worry us all.
Also, only the most trivial sites can be 100% cached. And those are the sites who need Recaptcha the least (or need a server to get a challenge from). Abuse is not a simple issue to solve.