I can’t figure out which one it is. Does the service actually still get all the ddos flood and just drop them until a request comes in with the correct PoW level, or does the browser/daemon somehow calculate the PoW and only send the request when its reached. I don’t see how the second one would work because your browser would not know if the service was under attack. But the first option still requires the service to get the request and then spend a little time dropping it instead of serving it.